Overview

overview

10

Static

static

3ba367bb53...32.exe

windows7_x64

10

3ba367bb53...32.exe

windows10_x64

10

Analysis

  • max time kernel
    137s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    10-05-2021 13:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ba367bb53bc5ad7c0e8d7f5a9d33532.exe

  • Size

    718KB

  • MD5

    3ba367bb53bc5ad7c0e8d7f5a9d33532

  • SHA1

    974c0e32a4480927f27daec1f65ce9bf23ff0e0a

  • SHA256

    33ea02b92678e7c73d8f65dc81d76733fe0ce94b9c9b22ebe216132a0986436f

  • SHA512

    c595d47918ca1a3facba0003cf1dd245e10aad78b190fe5715904c16fb13052e41a3a807da113ef46c7ea4688e01f7136b9ddeda0792398a5bc872a69628294e

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.tractorandinas.com/
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    ~P*xO7vPBc-o

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • .NET Reactor proctector 2 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • AgentTesla Payload 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
    "C:\Users\Admin\AppData\Local\Temp\3ba367bb53bc5ad7c0e8d7f5a9d33532.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Users\Admin\AppData\Local\Temp\3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
      C:\Users\Admin\AppData\Local\Temp\3ba367bb53bc5ad7c0e8d7f5a9d33532.exe
      2⤵
      • Drops file in Drivers directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1484
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Public\stt.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1008
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /K C:\Users\Public\PXOR.bat
        3⤵
          PID:616
          • C:\Windows \System32\Netplwiz.exe
            "C:\Windows \System32\Netplwiz.exe"
            4⤵
            • Executes dropped EXE
            PID:1556
          • C:\Windows \System32\Netplwiz.exe
            "C:\Windows \System32\Netplwiz.exe"
            4⤵
            • Executes dropped EXE
            PID:924

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/616-70-0x00000000750C1000-0x00000000750C3000-memory.dmp

      Filesize

      8KB

      Download

    • memory/616-72-0x0000000002110000-0x0000000002111000-memory.dmp

      Filesize

      4KB

      Download

    • memory/756-59-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1484-64-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/1484-60-0x0000000000400000-0x0000000000449000-memory.dmp

      Filesize

      292KB

      Download

    • memory/1484-73-0x0000000002030000-0x000000000207D000-memory.dmp

      Filesize

      308KB

      Download

    • memory/1484-75-0x0000000004852000-0x0000000004853000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1484-74-0x0000000004851000-0x0000000004852000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1484-76-0x0000000004853000-0x0000000004854000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1484-77-0x0000000002170000-0x00000000021BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1484-78-0x0000000004854000-0x0000000004856000-memory.dmp

      Filesize

      8KB

      Download