Overview

overview

10

Static

static

DR1.exe

windows7_x64

10

DR1.exe

windows10_x64

10

Analysis

  • max time kernel
    111s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DR1.exe

  • Size

    15KB

  • MD5

    67698483a208b58241acfcdbe9682f90

  • SHA1

    2358b113a5a47d70e78b939156f2cdf7049fc39b

  • SHA256

    8f8198fc76f32f907c255e1715f44deaabd4677f4cc708ecfd6afb1a50d9bcfc

  • SHA512

    726181cf74d4adc26888d5454e66e76ca8887de3956d5a509fd015ae49f83683ad452d4f7a474bcdf3929e5192eb1e87e32636c515755739aef7ad136001b2ce

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    max.mccanna@metaltek.me
  • Password:
    @Mexico1.,

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 15 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DR1.exe
    "C:\Users\Admin\AppData\Local\Temp\DR1.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3276
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DR1.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DR1.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DR1.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3312
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DR1.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Users\Admin\AppData\Local\Temp\DR1.exe
      "C:\Users\Admin\AppData\Local\Temp\DR1.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1896
    • C:\Users\Admin\AppData\Local\Temp\DR1.exe
      "C:\Users\Admin\AppData\Local\Temp\DR1.exe"
      2⤵
        PID:1548
      • C:\Users\Admin\AppData\Local\Temp\DR1.exe
        "C:\Users\Admin\AppData\Local\Temp\DR1.exe"
        2⤵
          PID:3980
        • C:\Users\Admin\AppData\Local\Temp\DR1.exe
          "C:\Users\Admin\AppData\Local\Temp\DR1.exe"
          2⤵
            PID:4064
          • C:\Users\Admin\AppData\Local\Temp\DR1.exe
            "C:\Users\Admin\AppData\Local\Temp\DR1.exe"
            2⤵
              PID:3836

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Winlogon Helper DLL

          1
          T1004

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          5
          T1112

          Disabling Security Tools

          3
          T1089

          Virtualization/Sandbox Evasion

          2
          T1497

          Credential Access

          Credentials in Files

          3
          T1081

          Discovery

          Query Registry

          4
          T1012

          Virtualization/Sandbox Evasion

          2
          T1497

          System Information Discovery

          3
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Data from Local System

          3
          T1005

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            MD5

            1c19c16e21c97ed42d5beabc93391fc5

            SHA1

            8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

            SHA256

            1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

            SHA512

            7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            ed4b7284d2bdce26243a7dbb49030913

            SHA1

            17740db7981d533d2124becd57a8439fdda09dfb

            SHA256

            d51744aa52b9e2ce29dbcccbf1a49926cf526d13e2a32abfe99b119352235bfd

            SHA512

            92fe654fdf31c9815ca52ba06072839720e64eba79a4fa6c7f796c717dc972eafb9e6c0771766a8c7d04f43b90edb8276e5f65d9717cac8049103b75554e1d33

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            93f8743d1be5c5541d4ba9387671f7c0

            SHA1

            648024c9050b495fd00b2e013db2d319f367f7ff

            SHA256

            073747b3685a5493e04a7bc823ea2e1e6711b42a912d921ebdda4d50116b3aec

            SHA512

            0326718b37166a1d098c99d43146df013ceda56da3964892a72aedf5c8ee6dd8e0a1d83fe37c1328fd72a4b755fa80ef46f9c39319210236773c71ed6aafa880

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            4590eacbe35ce13c383477cc093a3ab0

            SHA1

            67d3f2c9aa7a586e957f4fcf8efb24aa8d9ff214

            SHA256

            5275472865730fb45e86beeb8735b9a99836e3f6fc7bd9935b684a026a253d30

            SHA512

            fc58f21a462366a30d40531b505e9a870f4292267a4f2e43937a32c9b6153dccd5ff7efe78a4657b5031dadc98e5cdde08ee11007ee42c8743c7f0a7e62e9737

            Download Submit
          • memory/1548-40-0x00000000004374AE-mapping.dmp
            Download
          • memory/1548-41-0x0000000073820000-0x0000000073F0E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1548-70-0x00000000057A0000-0x00000000057A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1896-39-0x0000000073820000-0x0000000073F0E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1896-37-0x00000000004374AE-mapping.dmp
            Download
          • memory/1896-36-0x0000000000400000-0x000000000043C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/1896-69-0x0000000004D10000-0x0000000004D11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1896-87-0x0000000005180000-0x0000000005181000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1896-163-0x0000000004D11000-0x0000000004D12000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2760-75-0x0000000007A20000-0x0000000007A21000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2760-31-0x00000000075B0000-0x00000000075B1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2760-138-0x00000000075B3000-0x00000000075B4000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2760-127-0x000000007F9F0000-0x000000007F9F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2760-19-0x0000000073820000-0x0000000073F0E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2760-24-0x0000000007BF0000-0x0000000007BF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2760-71-0x0000000008330000-0x0000000008331000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2760-52-0x0000000007910000-0x0000000007911000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2760-32-0x00000000075B2000-0x00000000075B3000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2760-15-0x0000000000000000-mapping.dmp
            Download
          • memory/2820-92-0x0000000008D70000-0x0000000008DA3000-memory.dmp
            Filesize

            204KB

            Download
          • memory/2820-33-0x0000000006992000-0x0000000006993000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2820-13-0x0000000000000000-mapping.dmp
            Download
          • memory/2820-29-0x0000000006990000-0x0000000006991000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2820-20-0x0000000006820000-0x0000000006821000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2820-17-0x0000000073820000-0x0000000073F0E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2820-139-0x0000000006993000-0x0000000006994000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2820-141-0x0000000009250000-0x0000000009251000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3276-44-0x0000000006020000-0x0000000006021000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3276-9-0x0000000004910000-0x0000000004911000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3276-2-0x0000000073820000-0x0000000073F0E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/3276-3-0x0000000000040000-0x0000000000041000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3276-5-0x0000000004870000-0x0000000004871000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3276-6-0x0000000004E10000-0x0000000004E11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3276-11-0x0000000005AF0000-0x0000000005AF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3276-7-0x00000000049B0000-0x00000000049B1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3276-10-0x0000000005A10000-0x0000000005A74000-memory.dmp
            Filesize

            400KB

            Download
          • memory/3276-8-0x0000000004AF0000-0x0000000004AF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3312-14-0x0000000000000000-mapping.dmp
            Download
          • memory/3312-149-0x0000000009470000-0x0000000009471000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3312-28-0x0000000006AD0000-0x0000000006AD1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3312-34-0x0000000006AD2000-0x0000000006AD3000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3312-18-0x0000000073820000-0x0000000073F0E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/3312-93-0x0000000008FA0000-0x0000000008FD3000-memory.dmp
            Filesize

            204KB

            Download
          • memory/3312-134-0x0000000006AD3000-0x0000000006AD4000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3312-113-0x000000007EB70000-0x000000007EB71000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3312-122-0x0000000008450000-0x0000000008451000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3312-126-0x00000000090E0000-0x00000000090E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3836-60-0x00000000004374AE-mapping.dmp
            Download
          • memory/3980-45-0x00000000004374AE-mapping.dmp
            Download
          • memory/4016-109-0x000000007F4C0000-0x000000007F4C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4016-133-0x0000000004CE3000-0x0000000004CE4000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4016-12-0x0000000000000000-mapping.dmp
            Download
          • memory/4016-135-0x0000000009C10000-0x0000000009C11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4016-83-0x0000000008970000-0x0000000008971000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4016-80-0x0000000008110000-0x0000000008111000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4016-16-0x0000000073820000-0x0000000073F0E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/4016-30-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4016-61-0x0000000007F80000-0x0000000007F81000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4016-35-0x0000000004CE2000-0x0000000004CE3000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4064-53-0x0000000073820000-0x0000000073F0E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/4064-50-0x00000000004374AE-mapping.dmp
            Download