Overview

overview

10

Static

static

1

newanyiorigin.exe

windows7_x64

10

newanyiorigin.exe

windows10_x64

10

Analysis

  • max time kernel
    74s
  • max time network
    125s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    31-07-2020 10:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    newanyiorigin.exe

  • Size

    465KB

  • MD5

    93993f994aa01d44877418064b35a6bd

  • SHA1

    12892d6641fd748331d7aede80b660701e0d45a1

  • SHA256

    82cc4887e303142d81ec7d606de24bfe9d14d3fd2d867759b4c150f502d456ed

  • SHA512

    b6b701e8ff658c86937fc696f04aff41cc6d3fef7346b2e62a6465dbcb37e52f693173d45265925b81a5811b651288f632018619c487e3ce03e3adcb63e2f861

Score
10/10
agentteslananocorekeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • NanoCore

    NanoCore is a remote access tool (RAT) with a variety of capabilities.

    keyloggertrojanstealerspywarenanocore
  • AgentTesla Payload 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\newanyiorigin.exe
    "C:\Users\Admin\AppData\Local\Temp\newanyiorigin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3788
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe BicornGasohol,Sunhats
      2⤵
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3896
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\BicornGasohol.DLL
    MD5

    ea2f9af237cf9f119f68498727701ae0

    SHA1

    2e714699ef5e6e766aa91d3b74a254e28c0af48b

    SHA256

    a743db5c06b9b3bb9a9183d9ef9c7fbf14f3938c3e6785a7bae943c14579b830

    SHA512

    14c5e2935fc1ab68b4b99656c74fb374017514fab5a7248b958f0990c404d230efd9dcd5bb7eed2351a766d2fbfb078e00adaaa9484c61c37319d87b5c97c4e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Dynast
    MD5

    eebb7cc18e6f3f58c587c132e3086850

    SHA1

    62bcf6e0012e9a70d0e38b74f39a64bf543a3bf7

    SHA256

    1e48956974b342a00658ea5c3e0a66f3fe458e2fa54f2231d728a0f1d446a9c0

    SHA512

    35f0d3987c56c63c6dda7eab198a6f8324d1b34a98729fe66ea98b432be045d8699c3f105912d76ac4fa5a3c123bc318d40767b837e7f38db1db0c98e1179eb7

    Download Submit
  • \Users\Admin\AppData\Local\Temp\BicornGasohol.dll
    MD5

    ea2f9af237cf9f119f68498727701ae0

    SHA1

    2e714699ef5e6e766aa91d3b74a254e28c0af48b

    SHA256

    a743db5c06b9b3bb9a9183d9ef9c7fbf14f3938c3e6785a7bae943c14579b830

    SHA512

    14c5e2935fc1ab68b4b99656c74fb374017514fab5a7248b958f0990c404d230efd9dcd5bb7eed2351a766d2fbfb078e00adaaa9484c61c37319d87b5c97c4e0

    Download Submit
  • memory/3836-4-0x0000000000000000-mapping.dmp
    Download
  • memory/3836-5-0x0000000000000000-mapping.dmp
    Download
  • memory/3896-0-0x0000000000000000-mapping.dmp
    Download