Overview

overview

10

Static

static

po.exe

windows7_x64

10

po.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    135s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-05-2021 12:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    po.exe

  • Size

    898KB

  • MD5

    83f6e4e71f9a6638f9caedb14934e3e6

  • SHA1

    f7b05b5d187510060c810229155f290393fc3482

  • SHA256

    94c45cc52e1fdbdf80a9d376ddbbd316a81d58acc1fa677a09b755e4cff17182

  • SHA512

    134cfbb2aac318fde0323702cabc3270221b7870678e1f08a82513151c5fb0a984680cbc755f190c862385a25f4fbb1cfb4c9401ac344b4074e1429fe15145d2

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    business77.web-hosting.com
  • Port:
    587
  • Username:
    basari@makefoods-international.com
  • Password:
    london1759

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\po.exe
    "C:\Users\Admin\AppData\Local\Temp\po.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\po.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1144
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wfclToY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3868
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wfclToY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5E29.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4068
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wfclToY.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:580
    • C:\Users\Admin\AppData\Local\Temp\po.exe
      "C:\Users\Admin\AppData\Local\Temp\po.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    10129e5ae5486cc185c3c59996288a56

    SHA1

    6008755e27d1aef39344c332ffff2f796256350d

    SHA256

    b9f9068f479af91a8fe185c4193a2283dbd80707ca024904defe18edb6cfd3ee

    SHA512

    40d872448e88818700d805e023f2a3cce47d3ab08aec6c5dc44420429657ca880c2637c945623ea57508dcddc21c4c3e7acc13570b417ee1d1fdcf6531016c02

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    258020c15de1c66fa203504f817dd81c

    SHA1

    0f1b02c4f500a3904c35890817c58eefd4130b3c

    SHA256

    d2149912f799d5aeb93d23926d1155b537dabbbf381e2203e91ab2c39d05574b

    SHA512

    40bd93016835b18b53f9c79b9d725940841b93457683966c56606b3ab794e187a452d4b5ac9fe56950689b435797466381e6e8ef926af144eb0c111d37863018

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp5E29.tmp
    MD5

    3784b692766851760c26c089f85c8d6c

    SHA1

    6fbd0efa5e6fe94715e53c0e134818c625a6488d

    SHA256

    35c2e1fcb52ddcb9eb27cae921f9a9b0915d9e2d0409a1a8c08b8b8fc856a9e7

    SHA512

    3e9b1836452ce2e99f419e8f71117bb845a24b49c1038d0a1b0e44469e6dcd98f4c068e263a09b9cf26eb515ffe0b3e6f07562fb737db6d112cc4094b7eafbb0

    Download Submit
  • memory/580-149-0x00000000073A2000-0x00000000073A3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/580-141-0x0000000000000000-mapping.dmp
    Download
  • memory/580-154-0x00000000075F0000-0x00000000075F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/580-147-0x00000000073A0000-0x00000000073A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/580-161-0x0000000007870000-0x0000000007871000-memory.dmp
    Filesize

    4KB

    Download
  • memory/580-164-0x0000000008050000-0x0000000008051000-memory.dmp
    Filesize

    4KB

    Download
  • memory/580-194-0x000000007EF60000-0x000000007EF61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/580-196-0x00000000073A3000-0x00000000073A4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-120-0x00000000049C0000-0x00000000049C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-114-0x0000000000020000-0x0000000000021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-124-0x0000000007E40000-0x0000000007ED0000-memory.dmp
    Filesize

    576KB

    Download
  • memory/808-123-0x00000000058B0000-0x0000000005979000-memory.dmp
    Filesize

    804KB

    Download
  • memory/808-122-0x0000000004BC0000-0x0000000004BC4000-memory.dmp
    Filesize

    16KB

    Download
  • memory/808-121-0x0000000004C40000-0x0000000004C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-119-0x00000000049B0000-0x0000000004EAE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/808-118-0x0000000004A50000-0x0000000004A51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-117-0x0000000004EB0000-0x0000000004EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-116-0x00000000048E0000-0x00000000048E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1144-125-0x0000000000000000-mapping.dmp
    Download
  • memory/1144-136-0x0000000004D60000-0x0000000004D61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1144-193-0x000000007F530000-0x000000007F531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1144-128-0x0000000004C80000-0x0000000004C81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1144-157-0x0000000007780000-0x0000000007781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1144-131-0x0000000007960000-0x0000000007961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1144-197-0x0000000004D63000-0x0000000004D64000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1144-137-0x0000000004D62000-0x0000000004D63000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1144-167-0x00000000077F0000-0x00000000077F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1144-170-0x0000000008520000-0x0000000008521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3300-143-0x00000000004374CE-mapping.dmp
    Download
  • memory/3300-188-0x0000000005EF0000-0x0000000005EF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3300-160-0x0000000003290000-0x0000000003291000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3300-142-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3868-139-0x0000000004FC2000-0x0000000004FC3000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3868-192-0x000000007EB00000-0x000000007EB01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3868-195-0x0000000004FC3000-0x0000000004FC4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3868-173-0x0000000008AC0000-0x0000000008AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3868-129-0x0000000000000000-mapping.dmp
    Download
  • memory/3868-138-0x0000000004FC0000-0x0000000004FC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4068-130-0x0000000000000000-mapping.dmp
    Download