Overview

overview

10

Static

static

hkaP5RPCGNDVq3Z.exe

windows7_x64

10

hkaP5RPCGNDVq3Z.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 20:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hkaP5RPCGNDVq3Z.exe

  • Size

    1.6MB

  • MD5

    07556e1af1f43f7dd42d32d188187e4a

  • SHA1

    42110c04869726694a2537e05f987039cd829ac0

  • SHA256

    a6fc5cc4331ee5a9bee82b3fde7bdbce1c1dc5a89c8860b682c948f4b9acc9cd

  • SHA512

    433457cb0e908bc673e952639f2df8da6991f2aed7e9c2cf98bcc677452bb8c5d92ccf8267ed7ca38227122ffcc6633bf40a39f2b1eaaf4262221e45899f094d

Score
10/10
agentteslahawkeyematiexkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    sales01@seedwellresources.xyz
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

matiex

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    sales01@seedwellresources.xyz
  • Password:
    MARYolanmauluogwo@ever

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    sales01@seedwellresources.xyz
  • Password:
    MARYolanmauluogwo@ever

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • HawkEye

    HawkEye is a malware kit that has seen continuous development since at least 2013.

    keyloggertrojanstealerspywarehawkeye
  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 4 IoCs
  • AgentTesla Payload 6 IoCs
  • NirSoft MailPassView 7 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 7 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 10 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Uses the VBS compiler for execution 1 TTPs
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hkaP5RPCGNDVq3Z.exe
    "C:\Users\Admin\AppData\Local\Temp\hkaP5RPCGNDVq3Z.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4644
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jcKKBKdU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD61D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4080
    • C:\Users\Admin\AppData\Local\Temp\hkaP5RPCGNDVq3Z.exe
      "{path}"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3276
      • C:\Users\Admin\AppData\Local\Temp\LOGO AND PICTURES.exe
        "C:\Users\Admin\AppData\Local\Temp\LOGO AND PICTURES.exe" 0
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4300
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" wlan show profile
          4⤵
            PID:1720
        • C:\Users\Admin\AppData\Local\Temp\Pictures.exe
          "C:\Users\Admin\AppData\Local\Temp\Pictures.exe" 0
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"
            4⤵
              PID:2228
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"
              4⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:2564
          • C:\Users\Admin\AppData\Local\Temp\PO456724392021.exe
            "C:\Users\Admin\AppData\Local\Temp\PO456724392021.exe" 0
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4376
          • C:\Users\Admin\AppData\Local\Temp\PO2345714382021.exe
            "C:\Users\Admin\AppData\Local\Temp\PO2345714382021.exe" 0
            3⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4340

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scripting

      1
      T1064

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Scripting

      1
      T1064

      Credential Access

      Credentials in Files

      3
      T1081

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Data from Local System

      3
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\LOGO AND PICTURES.exe
        MD5

        d9001138c5119d936b70bf77e136afbe

        SHA1

        cfa2dbff8527715eaad00e91bd8955a8fffc1224

        SHA256

        9ae5ef3fd4feea105c1ed3f1e69fd4fa328e8f29f1937097280f7eee7f8d749e

        SHA512

        0187ec1ede0022daa4021a72d871ca0b7694b312bdba1c31bf3c0667ce0255c51e9880170a4b5226e63c2bf48f53b8071f12b08c106b6b82eb1d5389c3f9d576

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\LOGO AND PICTURES.exe
        MD5

        d9001138c5119d936b70bf77e136afbe

        SHA1

        cfa2dbff8527715eaad00e91bd8955a8fffc1224

        SHA256

        9ae5ef3fd4feea105c1ed3f1e69fd4fa328e8f29f1937097280f7eee7f8d749e

        SHA512

        0187ec1ede0022daa4021a72d871ca0b7694b312bdba1c31bf3c0667ce0255c51e9880170a4b5226e63c2bf48f53b8071f12b08c106b6b82eb1d5389c3f9d576

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\PO2345714382021.exe
        MD5

        9b79de8e3ad21f14e71e55cfa6ae4727

        SHA1

        3c2066345874febafe281bbde952d4f32d2ed53a

        SHA256

        56bd25acdb97ce17f8351b926c48a4f63e348c40f6c5913219b0745d99f6b31d

        SHA512

        f922be9228baa1dab85a5cfacfafbb6e8c919009bb843b6cdba0c2e24f6abfcbe26417046be248ccb41f820111633fdee7c6ea5865a2fbcc3bcf22c52a7208e6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\PO2345714382021.exe
        MD5

        9b79de8e3ad21f14e71e55cfa6ae4727

        SHA1

        3c2066345874febafe281bbde952d4f32d2ed53a

        SHA256

        56bd25acdb97ce17f8351b926c48a4f63e348c40f6c5913219b0745d99f6b31d

        SHA512

        f922be9228baa1dab85a5cfacfafbb6e8c919009bb843b6cdba0c2e24f6abfcbe26417046be248ccb41f820111633fdee7c6ea5865a2fbcc3bcf22c52a7208e6

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\PO456724392021.exe
        MD5

        f38e2d474c075eff35b4ef81fdaca650

        SHA1

        13f869037c80be3cd4736c5f67431161c79e5970

        SHA256

        f9ee81b7def0b0008cef43847fb9ba520c0b57a49e7a71b47ff8d6ee1fec4298

        SHA512

        b57a699e88f2ed2d83901be6362663bfa98944a95e74f0e8d36622868a7ad04f9d557b617bd71a9a69fd7b7b1e7143edeaaff0a5e54d81311f78f8497fdea649

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\PO456724392021.exe
        MD5

        f38e2d474c075eff35b4ef81fdaca650

        SHA1

        13f869037c80be3cd4736c5f67431161c79e5970

        SHA256

        f9ee81b7def0b0008cef43847fb9ba520c0b57a49e7a71b47ff8d6ee1fec4298

        SHA512

        b57a699e88f2ed2d83901be6362663bfa98944a95e74f0e8d36622868a7ad04f9d557b617bd71a9a69fd7b7b1e7143edeaaff0a5e54d81311f78f8497fdea649

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Pictures.exe
        MD5

        25146e9c5ecd498dd17ba01e6cfaeb24

        SHA1

        4171900e4d1291c7a7cdb33adc655ecb12334a4f

        SHA256

        5207f3d079a52017e7977296c9eba782d3d5eae5adec94fa38acdd88c184496d

        SHA512

        18374c6619b5f3d310db43e5f81db1333bdc9dc4086910fe2724a406d445ccbf5b16463b9341fbe718b2aae9e929a2302655f3964eb64b47f2d80418b46e478f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\Pictures.exe
        MD5

        25146e9c5ecd498dd17ba01e6cfaeb24

        SHA1

        4171900e4d1291c7a7cdb33adc655ecb12334a4f

        SHA256

        5207f3d079a52017e7977296c9eba782d3d5eae5adec94fa38acdd88c184496d

        SHA512

        18374c6619b5f3d310db43e5f81db1333bdc9dc4086910fe2724a406d445ccbf5b16463b9341fbe718b2aae9e929a2302655f3964eb64b47f2d80418b46e478f

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\holderwb.txt
        MD5

        f94dc819ca773f1e3cb27abbc9e7fa27

        SHA1

        9a7700efadc5ea09ab288544ef1e3cd876255086

        SHA256

        a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92

        SHA512

        72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

        Download Submit
      • C:\Users\Admin\AppData\Local\Temp\tmpD61D.tmp
        MD5

        a9ef8df8a002b67d0de581b20a75d654

        SHA1

        36c1a3a35444dcc2a27181da703dc2918d2d398e

        SHA256

        7178b70b7d0a94a6c60ec08cc47b7fb83393c7104a43be698a27e0bd6092a8f1

        SHA512

        9ea4ce8caa8972015c219b5eb2d3f4625e34d1fd6e0e6c375b65d2f0b77535bca2ff585049902d8196f9d268e94ec160d140c6dbe40a59c5b5666ff14d4c95d7

        Download Submit
      • memory/1720-43-0x0000000000000000-mapping.dmp
        Download
      • memory/1868-21-0x0000000000000000-mapping.dmp
        Download
      • memory/2228-47-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/2228-45-0x0000000000400000-0x000000000041B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/2228-46-0x0000000000411654-mapping.dmp
        Download
      • memory/2564-50-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/2564-51-0x0000000000442628-mapping.dmp
        Download
      • memory/2564-52-0x0000000000400000-0x0000000000458000-memory.dmp
        Filesize

        352KB

        Download
      • memory/3276-13-0x0000000000400000-0x0000000000562000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/3276-14-0x000000000040104C-mapping.dmp
        Download
      • memory/4080-11-0x0000000000000000-mapping.dmp
        Download
      • memory/4300-38-0x0000000005550000-0x0000000005551000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4300-30-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4300-22-0x00000000732B0000-0x000000007399E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4300-44-0x0000000007290000-0x0000000007291000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4300-18-0x0000000000000000-mapping.dmp
        Download
      • memory/4340-28-0x0000000000000000-mapping.dmp
        Download
      • memory/4376-23-0x0000000000000000-mapping.dmp
        Download
      • memory/4376-35-0x00000000003F0000-0x00000000003F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4376-29-0x00000000732B0000-0x000000007399E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4376-48-0x0000000004DC0000-0x0000000004DC1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4644-5-0x00000000056E0000-0x00000000056E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4644-6-0x00000000051E0000-0x00000000051E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4644-7-0x0000000005180000-0x0000000005181000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4644-8-0x00000000053D0000-0x00000000053DE000-memory.dmp
        Filesize

        56KB

        Download
      • memory/4644-9-0x0000000007B10000-0x0000000007CD5000-memory.dmp
        Filesize

        1.8MB

        Download
      • memory/4644-10-0x0000000007CE0000-0x0000000007CE1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4644-2-0x0000000073E30000-0x000000007451E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4644-3-0x00000000007C0000-0x00000000007C1000-memory.dmp
        Filesize

        4KB

        Download