Overview

overview

10

Static

static

iym.exe

windows7_x64

10

iym.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    iym.exe

  • Size

    20KB

  • MD5

    9d1c8d505aed4eb37bd5530a0b5b3b10

  • SHA1

    8727180dafb631c287957dedbcc4f989fb0a5825

  • SHA256

    1730e8fd738a26adbe3f0b31192adf6d4cc175f021b2d06e6278e36a43efef40

  • SHA512

    0a1776064a7a82a53881036ed2b3ab9a30f0c842c826543202cbf6399cb10f6ca2544e95672e87ab59c84d5778544aa89dfaa802ab843aa57bf6bcbeb4f27bea

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    edubrazil4040@longjohn.icu
  • Password:
    GODBLESS2021@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 4 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\iym.exe
    "C:\Users\Admin\AppData\Local\Temp\iym.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iym.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3188
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iym.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4316
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iym.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:68
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\iym.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:804
    • C:\Users\Admin\AppData\Local\Temp\iym.exe
      "C:\Users\Admin\AppData\Local\Temp\iym.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1796
    • C:\Users\Admin\AppData\Local\Temp\iym.exe
      "C:\Users\Admin\AppData\Local\Temp\iym.exe"
      2⤵
        PID:1876
      • C:\Users\Admin\AppData\Local\Temp\iym.exe
        "C:\Users\Admin\AppData\Local\Temp\iym.exe"
        2⤵
          PID:2068
        • C:\Users\Admin\AppData\Local\Temp\iym.exe
          "C:\Users\Admin\AppData\Local\Temp\iym.exe"
          2⤵
            PID:2360
          • C:\Users\Admin\AppData\Local\Temp\iym.exe
            "C:\Users\Admin\AppData\Local\Temp\iym.exe"
            2⤵
              PID:2792

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Winlogon Helper DLL

          1
          T1004

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          5
          T1112

          Disabling Security Tools

          3
          T1089

          Virtualization/Sandbox Evasion

          2
          T1497

          Credential Access

          Credentials in Files

          3
          T1081

          Discovery

          Query Registry

          4
          T1012

          Virtualization/Sandbox Evasion

          2
          T1497

          System Information Discovery

          3
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Data from Local System

          3
          T1005

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            MD5

            db01a2c1c7e70b2b038edf8ad5ad9826

            SHA1

            540217c647a73bad8d8a79e3a0f3998b5abd199b

            SHA256

            413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

            SHA512

            c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            c346de650c4f10d51cb71527ebf5f514

            SHA1

            163d9955419932180beb9dfa8d9f1c54bd3b57f4

            SHA256

            0e4effa7abff4956f2d114ea033c846b78f9fedb59d7f021f8baf3f57bf4b6ab

            SHA512

            729cef61ad0772fd7a15563c0ab1ef654575ec483c985f3ee49a3d9df85f2a68e434d740c23316c87e94a940798b2bccb83df63272335469aeb00bc27d55fcc2

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            ac48c2605180be86d6964390d269b66d

            SHA1

            dbe982cf0076bf2992c52b9a2cdf5bc3971d5aeb

            SHA256

            ba6357e03b944a1b703bc53f801f27875bef5c167bc4fd787789f99e0f5be65e

            SHA512

            6da7c8e22e83647f238bedb27b269ffd89e6c14d5af495db2815059de461d6d4472617c3829ae55ee71c0ed43164b07cb8ed9d54c83b4288ce01c683e2956cba

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            8263280127ffccfb8d4ec41005db0395

            SHA1

            9b070963aa18669b9ef7c8584634a74b76e404ff

            SHA256

            e25474fd6fc223608061a14de686155b2ea3768ca3afb84c6b0b43a630256894

            SHA512

            b8c0e5ea48fb280da2caf61e0e5a98df356baf4f46d3901443014583bce2e39816db7358f074ef6cbdf8882764b8fa93244b87ea008ade849fcfda1483c65c81

            Download Submit
          • memory/68-134-0x0000000006A63000-0x0000000006A64000-memory.dmp
            Filesize

            4KB

            Download
          • memory/68-45-0x0000000006A62000-0x0000000006A63000-memory.dmp
            Filesize

            4KB

            Download
          • memory/68-18-0x0000000073430000-0x0000000073B1E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/68-54-0x0000000006E20000-0x0000000006E21000-memory.dmp
            Filesize

            4KB

            Download
          • memory/68-23-0x0000000006A60000-0x0000000006A61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/68-105-0x000000007ED20000-0x000000007ED21000-memory.dmp
            Filesize

            4KB

            Download
          • memory/68-58-0x0000000007010000-0x0000000007011000-memory.dmp
            Filesize

            4KB

            Download
          • memory/68-14-0x0000000000000000-mapping.dmp
            Download
          • memory/68-67-0x0000000007740000-0x0000000007741000-memory.dmp
            Filesize

            4KB

            Download
          • memory/804-16-0x0000000073430000-0x0000000073B1E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/804-132-0x0000000000D93000-0x0000000000D94000-memory.dmp
            Filesize

            4KB

            Download
          • memory/804-70-0x0000000006C80000-0x0000000006C81000-memory.dmp
            Filesize

            4KB

            Download
          • memory/804-52-0x0000000000D92000-0x0000000000D93000-memory.dmp
            Filesize

            4KB

            Download
          • memory/804-20-0x0000000000D90000-0x0000000000D91000-memory.dmp
            Filesize

            4KB

            Download
          • memory/804-15-0x0000000000000000-mapping.dmp
            Download
          • memory/804-101-0x000000007F530000-0x000000007F531000-memory.dmp
            Filesize

            4KB

            Download
          • memory/804-128-0x0000000008EF0000-0x0000000008EF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1796-158-0x0000000005381000-0x0000000005382000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1796-82-0x00000000056D0000-0x00000000056D1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1796-32-0x0000000000400000-0x000000000043C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/1796-33-0x00000000004374DE-mapping.dmp
            Download
          • memory/1796-35-0x0000000073430000-0x0000000073B1E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1796-47-0x0000000005380000-0x0000000005381000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1876-36-0x00000000004374DE-mapping.dmp
            Download
          • memory/2068-38-0x00000000004374DE-mapping.dmp
            Download
          • memory/2068-42-0x0000000073430000-0x0000000073B1E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2360-46-0x00000000004374DE-mapping.dmp
            Download
          • memory/2360-48-0x0000000073430000-0x0000000073B1E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/3188-50-0x0000000004BC2000-0x0000000004BC3000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3188-110-0x000000007F0E0000-0x000000007F0E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3188-136-0x0000000009940000-0x0000000009941000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3188-135-0x0000000004BC3000-0x0000000004BC4000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3188-124-0x0000000009580000-0x0000000009581000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3188-12-0x0000000000000000-mapping.dmp
            Download
          • memory/3188-78-0x0000000008650000-0x0000000008651000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3188-21-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3188-19-0x0000000073430000-0x0000000073B1E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/3188-74-0x0000000008740000-0x0000000008741000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4316-133-0x0000000006813000-0x0000000006814000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4316-17-0x0000000073430000-0x0000000073B1E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/4316-87-0x0000000008A80000-0x0000000008AB3000-memory.dmp
            Filesize

            204KB

            Download
          • memory/4316-96-0x000000007F750000-0x000000007F751000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4316-13-0x0000000000000000-mapping.dmp
            Download
          • memory/4316-22-0x0000000006810000-0x0000000006811000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4316-24-0x0000000000ED0000-0x0000000000ED1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4316-120-0x0000000008960000-0x0000000008961000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4316-41-0x0000000006812000-0x0000000006813000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4316-144-0x0000000008EF0000-0x0000000008EF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4316-28-0x0000000006E50000-0x0000000006E51000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4700-53-0x0000000006440000-0x0000000006441000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4700-9-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4700-10-0x0000000005E90000-0x0000000005EF4000-memory.dmp
            Filesize

            400KB

            Download
          • memory/4700-2-0x0000000073430000-0x0000000073B1E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/4700-11-0x0000000005F70000-0x0000000005F71000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4700-8-0x0000000005010000-0x0000000005011000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4700-7-0x0000000004E20000-0x0000000004E21000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4700-6-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4700-5-0x0000000005100000-0x0000000005101000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4700-3-0x0000000000370000-0x0000000000371000-memory.dmp
            Filesize

            4KB

            Download