Overview

overview

10

Static

static

QUOTE 002242020.exe

windows7_x64

10

QUOTE 002242020.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    15s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTE 002242020.exe

  • Size

    2.1MB

  • MD5

    bdbfa33c09b950889d9fc19954f20935

  • SHA1

    d9c6cf2322734d49a1c479ff31d044ccef2f739e

  • SHA256

    51558f41331f2345cd146dc9705f48e8a6fdc425e6744658ff2ea53d42d34ae6

  • SHA512

    5ab3679f6c523a4a5d73678461f5089713b06fde01d59d42e2ca728d7723af01d135eba0737bf1606f105bb0a64573807cc687b8f4ba0666f4678948f1ae6fa7

Score
10/10
agentteslaevasionkeyloggerpersistencerezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.parshavayealborz.com
  • Port:
    587
  • Username:
    info@parshavayealborz.com
  • Password:
    P@rshava123456

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • rezer0 2 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QUOTE 002242020.exe
    "C:\Users\Admin\AppData\Local\Temp\QUOTE 002242020.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:288
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:520
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
          4⤵
          • Drops file in Drivers directory
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:532
          • C:\Windows\SysWOW64\REG.exe
            REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • Modifies registry key
            PID:1532
          • C:\Windows\SysWOW64\netsh.exe
            "netsh" wlan show profile
            5⤵
              PID:636

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/288-1-0x0000000000BD0000-0x0000000000BD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/288-3-0x0000000000280000-0x000000000028F000-memory.dmp
      Filesize

      60KB

      Download
    • memory/288-4-0x0000000007E80000-0x0000000008034000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/288-0-0x00000000740B0000-0x000000007479E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/520-14-0x0000000000400000-0x0000000000579000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/520-15-0x000000000042800A-mapping.dmp
      Download
    • memory/520-16-0x0000000000400000-0x0000000000579000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/532-21-0x0000000000400000-0x0000000000401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/532-19-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/532-18-0x000000000044C43E-mapping.dmp
      Download
    • memory/532-17-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/532-20-0x0000000072E90000-0x000000007357E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/636-24-0x0000000000000000-mapping.dmp
      Download
    • memory/1528-6-0x00000000005AD5E6-mapping.dmp
      Download
    • memory/1528-13-0x0000000007DA0000-0x0000000007F1B000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/1528-12-0x00000000003F0000-0x00000000003FB000-memory.dmp
      Filesize

      44KB

      Download
    • memory/1528-9-0x0000000074030000-0x000000007471E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1528-8-0x0000000000400000-0x00000000005B2000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1528-7-0x0000000000400000-0x00000000005B2000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1528-5-0x0000000000400000-0x00000000005B2000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/1532-23-0x0000000000000000-mapping.dmp
      Download