Overview

overview

10

Static

static

10

PO-3756632...LS.exe

windows7_x64

10

PO-3756632...LS.exe

windows10_x64

10

Analysis

  • max time kernel
    62s
  • max time network
    109s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    09-11-2020 19:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-37566324756834756_XLS.exe

  • Size

    714KB

  • MD5

    b56b7bea3cd94a84afa1024aea59ac6d

  • SHA1

    4d95aee7d7ad2463e0c5a47687057bd390df6430

  • SHA256

    d8525b2302c08306f63aa470ca7e081dbf35669af349cd1224d1485ecff71d43

  • SHA512

    c5791e1a79e8ca31a5ddc14d7ed7c071bfcc518d5e2a5bed8c6c1ec5d08962a3d3bf83833024d6de819d90b173eff0ad06ab0b89415990c24e17926c40f4105f

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.karcek.com.tr
  • Port:
    587
  • Username:
    info@karcek.com.tr
  • Password:
    Ahmet.6193

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-37566324756834756_XLS.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-37566324756834756_XLS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BNbKBooAq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC053.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1484
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:744
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:1668
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:1560

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpC053.tmp
      MD5

      d6a1380148fbeb50d741e019157ca9d0

      SHA1

      1cea55c6adb842ccd4c61dbdbd22afb36aec67c0

      SHA256

      85a10af7eb431f5063be942b01fea466ffb6be88497dae389aff76a10f457be4

      SHA512

      c8c4a6c5e1da4c4b09a63e6677a81f9f3e98b4e977c5ac1d68536a057e6bfc15a53f4b3d1eccdf33f9366f13974634cc7694686cd6253258f978249e6a7a29fe

      Download Submit
    • memory/744-3-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/744-4-0x000000000044C9FE-mapping.dmp
      Download
    • memory/744-5-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/744-6-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/1484-1-0x0000000000000000-mapping.dmp
      Download
    • memory/1560-10-0x0000000000000000-mapping.dmp
      Download
    • memory/1668-8-0x0000000000000000-mapping.dmp
      Download
    • memory/1792-0-0x000007FEF7FE0000-0x000007FEF825A000-memory.dmp
      Filesize

      2.5MB

      Download