Overview

overview

10

Static

static

6493e77b00...70.exe

windows7_x64

10

6493e77b00...70.exe

windows10_x64

10

Analysis

  • max time kernel
    115s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    13-07-2020 06:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6493e77b005827994d24d53f156ebb70.exe

  • Size

    1.2MB

  • MD5

    6493e77b005827994d24d53f156ebb70

  • SHA1

    8a7bdee0fd0146727a6188d455ac915f803601df

  • SHA256

    2a24ef9460476dc67c3e4f5fc17ddcf582e556def4278f8760d27f5b6e0735ca

  • SHA512

    0ae54906c14d12d245d6fc167147dbbe0b518d8f7229b218d4b119244392e0ced7d91d96cedbfc6be3e0a3831d93fc348619915360305b14054890e05240a3a6

Score
10/10
agentteslananocorekeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtpout.secureserver.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Front@line1

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • AgentTesla Payload 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6493e77b005827994d24d53f156ebb70.exe
    "C:\Users\Admin\AppData\Local\Temp\6493e77b005827994d24d53f156ebb70.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\11595538\edsoqm.pif
      "C:\Users\Admin\11595538\edsoqm.pif" rsagv.qww
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1892
      • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1928

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\11595538\edsoqm.pif
    MD5

    6c791836a7f45952c1183d31e07bd966

    SHA1

    24f3d4a239e338ddb6f48e6eb706d3f19a280248

    SHA256

    c70c58c4b0b01a5985e3b7820977acef3a6d78e653709dab84d47c06b5f1d43d

    SHA512

    60e796d6df906bb73347b7e78cdf09bee591465e079026fcd8d9835c71d91de6a91801c4d4b63c2cd5fe3ca790120ca08260bacace0214418bca3fcde54a7f3d

    Download Submit
  • C:\Users\Admin\11595538\rsagv.qww
    MD5

    069e6cddc473c3a8f0bf745fc574dcae

    SHA1

    b92bfe871a15063bafdfbd3b637705d5c94431bd

    SHA256

    308ff51264e710abd553b398605a7079d9fbfdde82109f3020651c2f7f4680f8

    SHA512

    b76bd95afd28f188ec7f58ee339454f50996e3f0d6c002dc605e820b6910a6fe7bb91c2056cd383227bc08d35d0449f4a23dbfe6a7e993052ad239cdaa74ba9e

    Download Submit
  • C:\Users\Admin\11595538\seno.ppt
    MD5

    bd2b11ae54eadab7b14a398339b5bca4

    SHA1

    61306d45dfd571724d773da8fcb989ee5a8a9e17

    SHA256

    bdceed33128233cfc5e7e4be089ec81e5150a0ff3e0d7162a36b3855a243e3ec

    SHA512

    a2a9c919b7c475f635b6d9b75c9d07b5237f5a124244c7c448643f1fe3c1fc2e19e97a2367017048545504c205ad0883e87eb9a5e3e9e4e01bdd0cd73c529def

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit
  • \Users\Admin\11595538\edsoqm.pif
    MD5

    6c791836a7f45952c1183d31e07bd966

    SHA1

    24f3d4a239e338ddb6f48e6eb706d3f19a280248

    SHA256

    c70c58c4b0b01a5985e3b7820977acef3a6d78e653709dab84d47c06b5f1d43d

    SHA512

    60e796d6df906bb73347b7e78cdf09bee591465e079026fcd8d9835c71d91de6a91801c4d4b63c2cd5fe3ca790120ca08260bacace0214418bca3fcde54a7f3d

    Download Submit
  • \Users\Admin\11595538\edsoqm.pif
    MD5

    6c791836a7f45952c1183d31e07bd966

    SHA1

    24f3d4a239e338ddb6f48e6eb706d3f19a280248

    SHA256

    c70c58c4b0b01a5985e3b7820977acef3a6d78e653709dab84d47c06b5f1d43d

    SHA512

    60e796d6df906bb73347b7e78cdf09bee591465e079026fcd8d9835c71d91de6a91801c4d4b63c2cd5fe3ca790120ca08260bacace0214418bca3fcde54a7f3d

    Download Submit
  • \Users\Admin\11595538\edsoqm.pif
    MD5

    6c791836a7f45952c1183d31e07bd966

    SHA1

    24f3d4a239e338ddb6f48e6eb706d3f19a280248

    SHA256

    c70c58c4b0b01a5985e3b7820977acef3a6d78e653709dab84d47c06b5f1d43d

    SHA512

    60e796d6df906bb73347b7e78cdf09bee591465e079026fcd8d9835c71d91de6a91801c4d4b63c2cd5fe3ca790120ca08260bacace0214418bca3fcde54a7f3d

    Download Submit
  • \Users\Admin\11595538\edsoqm.pif
    MD5

    6c791836a7f45952c1183d31e07bd966

    SHA1

    24f3d4a239e338ddb6f48e6eb706d3f19a280248

    SHA256

    c70c58c4b0b01a5985e3b7820977acef3a6d78e653709dab84d47c06b5f1d43d

    SHA512

    60e796d6df906bb73347b7e78cdf09bee591465e079026fcd8d9835c71d91de6a91801c4d4b63c2cd5fe3ca790120ca08260bacace0214418bca3fcde54a7f3d

    Download Submit
  • \Users\Admin\AppData\Local\Temp\RegSvcs.exe
    MD5

    0e06054beb13192588e745ee63a84173

    SHA1

    30b7d4d1277bafd04a83779fd566a1f834a8d113

    SHA256

    c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768

    SHA512

    251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215

    Download Submit
  • memory/1612-0-0x0000000000F90000-0x0000000001091000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1892-6-0x0000000000000000-mapping.dmp
    Download
  • memory/1928-12-0x000000000054702E-mapping.dmp
    Download
  • memory/1928-11-0x0000000000500000-0x0000000000A37000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1928-14-0x0000000000500000-0x0000000000A37000-memory.dmp
    Filesize

    5.2MB

    Download
  • memory/1928-15-0x0000000000500000-0x0000000000A37000-memory.dmp
    Filesize

    5.2MB

    Download