Overview

overview

10

Static

static

AS4852.exe

windows7_x64

10

AS4852.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-04-2021 07:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    AS4852.exe

  • Size

    878KB

  • MD5

    8e89d91f85cfff34a8d12ede04b1614c

  • SHA1

    d3d52466a4ca5e6be70c023786be9c0f5da4f441

  • SHA256

    53c98412c17c1a408f79f6a2ed8de3bf51c970eb6968e7e9b41bc38fa9e242ed

  • SHA512

    d90783f712c5f012d920b9f95027edc898f8ef0b1e85665982929c082bf9eccab101b9c715f2c50e6a93cf2eac162b0e2520d12a2a3dbc0dd3b7e9ec7b7fda53

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://45.141.152.18/
  • Port:
    21
  • Username:
    farmlogs@vancrenanbroek.com
  • Password:
    wTk4W1Uhkp5u

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AS4852.exe
    "C:\Users\Admin\AppData\Local\Temp\AS4852.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1796
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OtVSjtvUtmrmx" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE7C0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1108
    • C:\Users\Admin\AppData\Local\Temp\AS4852.exe
      "C:\Users\Admin\AppData\Local\Temp\AS4852.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      PID:336

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE7C0.tmp
    MD5

    b2a9e7a7e2059c2b51ae7096f768a0dd

    SHA1

    f8457e6d82124bdebc553c6c69a71564ebdc58fe

    SHA256

    4e399eb8202961fe1ef34870e529710a22810fc426045a27985e519a2855f13c

    SHA512

    35cf582ada6fd17f36f6a476d8f3547296a055110eeed11340093eaf8b0ae436854e812ea3f4fff438cf5b407ce87cfc272f710dd0b33e65769148757de64b34

    Download Submit
  • memory/336-70-0x00000000004375BE-mapping.dmp
    Download
  • memory/336-69-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/336-71-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/336-73-0x00000000049C0000-0x00000000049C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1108-67-0x0000000000000000-mapping.dmp
    Download
  • memory/1796-60-0x0000000001140000-0x0000000001141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1796-62-0x0000000004E40000-0x0000000004E41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1796-63-0x0000000000440000-0x0000000000449000-memory.dmp
    Filesize

    36KB

    Download
  • memory/1796-64-0x000000007EF40000-0x000000007EF41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1796-65-0x00000000052A0000-0x000000000531A000-memory.dmp
    Filesize

    488KB

    Download
  • memory/1796-66-0x0000000000B40000-0x0000000000B8A000-memory.dmp
    Filesize

    296KB

    Download