Analysis
-
max time kernel
115s -
max time network
117s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
26-02-2021 07:13
General
-
Target
INVOICE-0899877.jar
-
Size
1.0MB
-
MD5
69177a6a0ac1953b7fe870f44d0b08b5
-
SHA1
050090f180f571711def0706a23e32a715ec5be5
-
SHA256
381768716f30918b472bb41e9aca29d1b01643ec1892545453d104f03bc2a612
-
SHA512
b03921f0e1ad1df192b6c85663fdcb22700808829c02356ee9a82623267553b77b974f14bdf710b4fd523ccee97c0d31cae9fcf0989c85712f65e607e7a665dd
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.potagrup.com - Port:
587 - Username:
[email protected] - Password:
Pgrup@2021
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger Payload 4 IoCs
-
AgentTesla Payload 6 IoCs
-
Beds Protector Packer 1 IoCs
Detects Beds Protector packer used to load .NET malware.
-
Executes dropped EXE 5 IoCs
-
Drops startup file 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 22 IoCs
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\INVOICE-0899877.jar1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\cb1M.exeC:\Users\Admin\cb1M.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\cb1M.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Drivers.exe'3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\cb1M.exe"C:\Users\Admin\cb1M.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe"C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exe" 04⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe"C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exe" 04⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe"C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exe" 04⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exeMD5
83f896eba915c6fcd3fd1913a39b9915
SHA1b17a0b610fec952f3669aedc8e46a2400bdb1787
SHA25618c57360035b052fd617a5762fb35a9299f7428e6c331fd7b4c08f4d7ec8ecb9
SHA512f09a6c62fda5dedda7c8f0dda94bdcb7c6e0a2d2a511846907e1dc3db1a72269ca7163a1c90b2a94033817abcd4ccce11854c3a65e1799865df0f1cb76a60a74
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 2.0.exeMD5
83f896eba915c6fcd3fd1913a39b9915
SHA1b17a0b610fec952f3669aedc8e46a2400bdb1787
SHA25618c57360035b052fd617a5762fb35a9299f7428e6c331fd7b4c08f4d7ec8ecb9
SHA512f09a6c62fda5dedda7c8f0dda94bdcb7c6e0a2d2a511846907e1dc3db1a72269ca7163a1c90b2a94033817abcd4ccce11854c3a65e1799865df0f1cb76a60a74
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exeMD5
bbc8f515c647cd3763f1586e15b5ead6
SHA18ade922f0dd917c53e5ca68e45cf5201d9a2a43b
SHA2569a4820e61cb98fce467a1510ad20e9f11af4c4e3c8745695f008d72599a47813
SHA512d4b56b5241725358ff1a0dd4efe26317b6b64e0c9f8184aeb84ed23bafc7a25821e9ff30f69442d112f88e636d5e4c7125a72211241ea1fc1281a4f0df5468aa
-
C:\Users\Admin\AppData\Local\Temp\0RIGIN 4.0.exeMD5
bbc8f515c647cd3763f1586e15b5ead6
SHA18ade922f0dd917c53e5ca68e45cf5201d9a2a43b
SHA2569a4820e61cb98fce467a1510ad20e9f11af4c4e3c8745695f008d72599a47813
SHA512d4b56b5241725358ff1a0dd4efe26317b6b64e0c9f8184aeb84ed23bafc7a25821e9ff30f69442d112f88e636d5e4c7125a72211241ea1fc1281a4f0df5468aa
-
C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exeMD5
384c7a048993884b24056406e9226729
SHA1d5d87c41c862e3b74e9ba8eb0bb2147668815c44
SHA256eebf27101a97ad89df8e932c8003954b7e5ee6e9f4dca5e0880751d110946f35
SHA51282fa49fc72df3f163855d2df103172be974fa6fc9f78b9b4192d66732ac48b21622663bed85f043a3e6c998326f28c7c43fb6fd3be5a25c951faf03172b28857
-
C:\Users\Admin\AppData\Local\Temp\PGRUP SNAKE2021.exeMD5
384c7a048993884b24056406e9226729
SHA1d5d87c41c862e3b74e9ba8eb0bb2147668815c44
SHA256eebf27101a97ad89df8e932c8003954b7e5ee6e9f4dca5e0880751d110946f35
SHA51282fa49fc72df3f163855d2df103172be974fa6fc9f78b9b4192d66732ac48b21622663bed85f043a3e6c998326f28c7c43fb6fd3be5a25c951faf03172b28857
-
C:\Users\Admin\cb1M.exeMD5
97aa8299f3eae737008853b62609dc53
SHA133d2ad2819f64bd616f8a0a8964c582efdaeb25b
SHA2563cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac
SHA512630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391
-
C:\Users\Admin\cb1M.exeMD5
97aa8299f3eae737008853b62609dc53
SHA133d2ad2819f64bd616f8a0a8964c582efdaeb25b
SHA2563cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac
SHA512630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391
-
C:\Users\Admin\cb1M.exeMD5
97aa8299f3eae737008853b62609dc53
SHA133d2ad2819f64bd616f8a0a8964c582efdaeb25b
SHA2563cd722ce7162ece3b9e69d6482a1e26c80fb0435bce8a13ab787a8b61ecf8cac
SHA512630c09e8d1ffcc208f5338fa8eec082617ab270b7a18b5bc12ceac2bd10a56e157970417359af1f76d8184650c881108029419acb31d6077f6976c4afe99c391
-
memory/2076-38-0x0000000000000000-mapping.dmp
-
memory/2076-43-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/2076-58-0x0000000006A10000-0x0000000006A11000-memory.dmpFilesize
4KB
-
memory/2076-56-0x0000000006BA0000-0x0000000006BA1000-memory.dmpFilesize
4KB
-
memory/2076-55-0x00000000059B0000-0x00000000059B1000-memory.dmpFilesize
4KB
-
memory/2076-44-0x0000000000E70000-0x0000000000E71000-memory.dmpFilesize
4KB
-
memory/2824-9-0x0000000005820000-0x0000000005923000-memory.dmpFilesize
1.0MB
-
memory/2824-13-0x00000000059D0000-0x00000000059D1000-memory.dmpFilesize
4KB
-
memory/2824-20-0x0000000005740000-0x000000000574F000-memory.dmpFilesize
60KB
-
memory/2824-12-0x0000000003260000-0x0000000003261000-memory.dmpFilesize
4KB
-
memory/2824-11-0x0000000005ED0000-0x0000000005ED1000-memory.dmpFilesize
4KB
-
memory/2824-10-0x0000000005930000-0x0000000005931000-memory.dmpFilesize
4KB
-
memory/2824-7-0x0000000000D90000-0x0000000000D91000-memory.dmpFilesize
4KB
-
memory/2824-6-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/2824-3-0x0000000000000000-mapping.dmp
-
memory/2888-21-0x0000000000400000-0x00000000004D3000-memory.dmpFilesize
844KB
-
memory/2888-22-0x000000000040104C-mapping.dmp
-
memory/3136-16-0x0000000006B30000-0x0000000006B31000-memory.dmpFilesize
4KB
-
memory/3136-17-0x00000000071A0000-0x00000000071A1000-memory.dmpFilesize
4KB
-
memory/3136-63-0x0000000006B23000-0x0000000006B24000-memory.dmpFilesize
4KB
-
memory/3136-30-0x0000000007B30000-0x0000000007B31000-memory.dmpFilesize
4KB
-
memory/3136-29-0x0000000007AC0000-0x0000000007AC1000-memory.dmpFilesize
4KB
-
memory/3136-28-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/3136-61-0x0000000009000000-0x0000000009001000-memory.dmpFilesize
4KB
-
memory/3136-26-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/3136-19-0x0000000006B22000-0x0000000006B23000-memory.dmpFilesize
4KB
-
memory/3136-40-0x00000000082C0000-0x00000000082C1000-memory.dmpFilesize
4KB
-
memory/3136-18-0x0000000006B20000-0x0000000006B21000-memory.dmpFilesize
4KB
-
memory/3136-60-0x0000000008FA0000-0x0000000008FA1000-memory.dmpFilesize
4KB
-
memory/3136-59-0x0000000009070000-0x0000000009071000-memory.dmpFilesize
4KB
-
memory/3136-14-0x0000000000000000-mapping.dmp
-
memory/3136-34-0x0000000007EA0000-0x0000000007EA1000-memory.dmpFilesize
4KB
-
memory/3136-52-0x0000000008310000-0x0000000008311000-memory.dmpFilesize
4KB
-
memory/3136-15-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/3780-31-0x0000000000000000-mapping.dmp
-
memory/3780-48-0x0000000002610000-0x0000000002611000-memory.dmpFilesize
4KB
-
memory/3780-66-0x0000000002611000-0x0000000002612000-memory.dmpFilesize
4KB
-
memory/3780-69-0x0000000002612000-0x0000000002613000-memory.dmpFilesize
4KB
-
memory/3788-54-0x0000000005990000-0x0000000005991000-memory.dmpFilesize
4KB
-
memory/3788-45-0x0000000000F10000-0x0000000000F11000-memory.dmpFilesize
4KB
-
memory/3788-39-0x0000000073BA0000-0x000000007428E000-memory.dmpFilesize
6.9MB
-
memory/3788-35-0x0000000000000000-mapping.dmp
-
memory/3788-64-0x0000000005960000-0x0000000005961000-memory.dmpFilesize
4KB
-
memory/3928-2-0x00000000028E0000-0x0000000002B50000-memory.dmpFilesize
2.4MB