Overview

overview

10

Static

static

Doc.exe

windows7_x64

10

Doc.exe

windows10_x64

10

Analysis

  • max time kernel
    127s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Doc.exe

  • Size

    478KB

  • MD5

    bf08620d6295f47bdde72569b43677ca

  • SHA1

    2afe1a20b5cd9255ac5429aaf7b7df3849f9c578

  • SHA256

    88502fda993fde73909371ca6813191b0af2d571632c1ebd5c92bd3a844af1c9

  • SHA512

    8b56773ffc23603b18f9c549291a6fa3010f17d33fdad55039eeb81b393cd8d9b8251ccc1e4148e54f879980bc1ef80ee75bcbf99abc7af7c4034827cc6fbb6e

Score
10/10
agentteslakeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.kalatecnic.com
  • Port:
    587
  • Username:
    comercial@kalatecnic.com
  • Password:
    Barcelona08397

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • rezer0 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Doc.exe
    "C:\Users\Admin\AppData\Local\Temp\Doc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1068
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\chjgYQTVsGlXd" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1120.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1080
    • C:\Users\Admin\AppData\Local\Temp\Doc.exe
      "{path}"
      2⤵
        PID:368
      • C:\Users\Admin\AppData\Local\Temp\Doc.exe
        "{path}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" wlan show profile
          3⤵
            PID:900

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Credentials in Files

      3
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      3
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp1120.tmp
        MD5

        ab9094860354de47b165f444659c8f96

        SHA1

        533f845b99be29efb71c96110d9bbcc09a3a63ce

        SHA256

        deeb0fd0a2420553560dca55a34513e53e74475d00dff2c4d912ef10831f1dda

        SHA512

        1e0d104d910ccac128336e8a2b0c508146017fc25340d9bd6a1b02b13aa5b517869eb3bd7b8ed8737a3bf60a88b3648d37294950c2e56842af604cc8e7f64dba

        Download Submit
      • memory/900-14-0x0000000000000000-mapping.dmp
        Download
      • memory/1068-0-0x00000000741A0000-0x000000007488E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1068-1-0x0000000001260000-0x0000000001261000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1068-3-0x00000000002B0000-0x00000000002BF000-memory.dmp
        Filesize

        60KB

        Download
      • memory/1068-4-0x0000000000FB0000-0x0000000001003000-memory.dmp
        Filesize

        332KB

        Download
      • memory/1080-5-0x0000000000000000-mapping.dmp
        Download
      • memory/1956-7-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1956-8-0x000000000044CDCE-mapping.dmp
        Download
      • memory/1956-9-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1956-10-0x0000000000400000-0x0000000000452000-memory.dmp
        Filesize

        328KB

        Download
      • memory/1956-11-0x00000000741A0000-0x000000007488E000-memory.dmp
        Filesize

        6.9MB

        Download