Overview

overview

10

Static

static

6 x 40ft C...rs.exe

windows7_x64

10

6 x 40ft C...rs.exe

windows10_x64

10

Analysis

  • max time kernel
    85s
  • max time network
    102s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6 x 40ft Containers.exe

  • Size

    465KB

  • MD5

    aed60ac814a62d82531d6bd327570320

  • SHA1

    863c5a7b2525ad3a3acd80cd9eb4a582dea5ab8f

  • SHA256

    43102baba4383d06d675a03ae51962493a841b6d15389bc82145df70fbbd47b7

  • SHA512

    a40a9aac4e5917ee75f962e2291fc96c5d384b253115194c31c06f5766fabd6b486ea76eafd562ba17c1f9ed25ca1f0e41d9fd5e9506d096396fb89c1609d1ae

Score
10/10
agentteslakeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    sales01@seedwellresources.xyz
  • Password:
    coronavirus2020

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • rezer0 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6 x 40ft Containers.exe
    "C:\Users\Admin\AppData\Local\Temp\6 x 40ft Containers.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vaYOZqrR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF28.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:452
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:896
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
          PID:936
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1004

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpEF28.tmp
        MD5

        74955a321154f94e8090720eb1655485

        SHA1

        dc836b0b6725801f26f66b1f512489f2ce6bedb8

        SHA256

        e26e24e266040ece1d54a3801c64ae16b820eafc629f39d506a181a4a9155771

        SHA512

        813fbcaa83d16dda9432fce42530398b255ce891fa5c912f65f6e98918d8628ddfc3b30fd99e9617a67b23dc52a83f12d78f4f420b8c96e3a4801fd12376c50f

        Download Submit
      • memory/452-8-0x0000000000000000-mapping.dmp
        Download
      • memory/1004-20-0x00000000062F0000-0x00000000062F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1004-18-0x0000000005E10000-0x0000000005E11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1004-17-0x00000000052A0000-0x00000000052A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1004-12-0x00000000739D0000-0x00000000740BE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1004-11-0x0000000000446E8E-mapping.dmp
        Download
      • memory/1004-10-0x0000000000400000-0x000000000044C000-memory.dmp
        Filesize

        304KB

        Download
      • memory/4800-4-0x00000000012E0000-0x00000000012EF000-memory.dmp
        Filesize

        60KB

        Download
      • memory/4800-7-0x0000000005E90000-0x0000000005E91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4800-6-0x0000000005940000-0x000000000598D000-memory.dmp
        Filesize

        308KB

        Download
      • memory/4800-5-0x0000000005550000-0x0000000005551000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4800-0-0x00000000739D0000-0x00000000740BE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4800-3-0x0000000005190000-0x0000000005191000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4800-1-0x00000000008D0000-0x00000000008D1000-memory.dmp
        Filesize

        4KB

        Download