Overview

overview

10

Static

static

AWB-202112...TR.exe

windows7_x64

10

AWB-202112...TR.exe

windows10_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    73s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    14-01-2021 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AWB-20211211.14754943_TR.exe

  • Size

    881KB

  • MD5

    06f39e6b5df0f09e46de43052a0a1daf

  • SHA1

    bc9b010e302178fa30b1a8bb537af717993bd298

  • SHA256

    1760b657755f0891214e821f9435509c25cdd5d0da0205e8f390c1b57aad9a77

  • SHA512

    437d6eb152eb84f931eeeebb1015de7cb3753498d353bff9fe963cb9ae69eb499d55cc8549cc92b697a7c19d9a26fba418221835688316b7cda58a4933f92467

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.talleresgenerauto.es
  • Port:
    587
  • Username:
    chapaypintura@talleresgenerauto.es
  • Password:
    talleres20generauto19

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AWB-20211211.14754943_TR.exe
    "C:\Users\Admin\AppData\Local\Temp\AWB-20211211.14754943_TR.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LTTuaoUYZLg" /XML "C:\Users\Admin\AppData\Local\Temp\tmp225E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1596
    • C:\Users\Admin\AppData\Local\Temp\AWB-20211211.14754943_TR.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp225E.tmp
    MD5

    2edd515fca32c0b928c804b3fe9f1001

    SHA1

    a95076b38dd09086dd502ebea73ce815b5400f34

    SHA256

    7fa73bed55308c3d8935c581ac44870578efce5a2cd865c8bbb2fc354ae4efe7

    SHA512

    56c5ee4f2e072de9c910b2fc11361af9109600b1312a228f0855fb02b385a731286cc90924cdd37c35bb7201d0c2eccb3c5fc4fb3b6c77e3e1cc7081e11e0786

    Download Submit
  • memory/1404-9-0x0000000007950000-0x00000000079EC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1404-11-0x0000000007B30000-0x0000000007B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1404-6-0x0000000005460000-0x0000000005461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1404-7-0x0000000005450000-0x0000000005451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1404-8-0x0000000005670000-0x000000000567E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1404-2-0x0000000073550000-0x0000000073C3E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1404-10-0x0000000007A90000-0x0000000007A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1404-5-0x0000000005A60000-0x0000000005A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1404-3-0x0000000000B30000-0x0000000000B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1596-12-0x0000000000000000-mapping.dmp
    Download
  • memory/1856-14-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1856-15-0x000000000043765E-mapping.dmp
    Download
  • memory/1856-16-0x0000000073550000-0x0000000073C3E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1856-21-0x0000000005DB0000-0x0000000005DB1000-memory.dmp
    Filesize

    4KB

    Download