Overview

overview

10

Static

static

PO_DEA8365...1).exe

windows7_x64

10

PO_DEA8365...1).exe

windows10_x64

10

Analysis

  • max time kernel
    83s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-07-2021 15:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO_DEA83657-ARF-(QR - 0621).exe

  • Size

    943KB

  • MD5

    465925dd7f0d7f41b5fff771e3cb8358

  • SHA1

    a7aa00da7f562e127c66e0c63b13ddde78fc3b08

  • SHA256

    9a5ea80dc3f334116c002ab185a5f54f80c72bcd11fcf5051b0a2e3a7704a3df

  • SHA512

    28c8db63e8706692d8350c1bb90b7f3a9ff37f3e66e5e3f96dfff34b7f0b6915525e156d08313e541086e6c1bac94e1c7d00060c83a0ac31354755290de493e5

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.aetheredbs.com
  • Port:
    587
  • Username:
    purchase1@aetheredbs.com
  • Password:
    AtVywhA4

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe
    "C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4796
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:852
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SEkpoTgSjrLn.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1808
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SEkpoTgSjrLn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6E99.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2084
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SEkpoTgSjrLn.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4004
    • C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe
      "C:\Users\Admin\AppData\Local\Temp\PO_DEA83657-ARF-(QR - 0621).exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3092

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    MD5

    7247129cd0644457905b7d6bf17fd078

    SHA1

    dbf9139b5a1b72141f170d2eae911bbbe7e128c8

    SHA256

    dfa6e0d79449f29310b2a0400dc7fa5a3a6b08182233147a81902d1f80a0f8e4

    SHA512

    9b1ebd7fe485811f10ec02778d90a7f7eccafa0231027b640b94eaed8408107051da7fcc4f17a9aa0eef900fa2595f44be7fd115331fb6da9b10076f5fcf87e0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp6E99.tmp
    MD5

    e6216db7e2cf3e7a8976e69ef2505339

    SHA1

    e697aadc1d2033f818629a0a14657ea54bad9c20

    SHA256

    8ebe68ded05c3aef1611cfa2a962037f1f5d6811f0f1683f12a735a1440fe9bd

    SHA512

    92cb9b689f51781362684311799d3542e8c50c162dc5045d475aa0221f2078a2cd873af3d3012294f3bb104196a68212e545426e9c55a8fcaa498bebd6046789

    Download Submit
  • memory/852-159-0x00000000079C0000-0x00000000079C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-259-0x0000000006D33000-0x0000000006D34000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-162-0x0000000008000000-0x0000000008001000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-237-0x000000007E420000-0x000000007E421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-132-0x0000000007200000-0x0000000007201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-208-0x0000000009020000-0x0000000009021000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-143-0x0000000007BF0000-0x0000000007BF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-124-0x0000000000000000-mapping.dmp
    Download
  • memory/852-139-0x0000000006D32000-0x0000000006D33000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-128-0x00000000047C0000-0x00000000047C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-129-0x0000000007370000-0x0000000007371000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-137-0x0000000006D30000-0x0000000006D31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/852-135-0x00000000072A0000-0x00000000072A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1808-221-0x00000000099C0000-0x00000000099C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1808-130-0x0000000000000000-mapping.dmp
    Download
  • memory/1808-141-0x0000000007402000-0x0000000007403000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1808-169-0x00000000088B0000-0x00000000088B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1808-142-0x0000000007400000-0x0000000007401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1808-192-0x0000000009890000-0x00000000098C3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/1808-236-0x000000007F500000-0x000000007F501000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1808-266-0x0000000007403000-0x0000000007404000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2084-131-0x0000000000000000-mapping.dmp
    Download
  • memory/3092-166-0x0000000005370000-0x000000000586E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3092-151-0x000000000043789E-mapping.dmp
    Download
  • memory/3092-150-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4004-149-0x0000000000000000-mapping.dmp
    Download
  • memory/4004-165-0x0000000006952000-0x0000000006953000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4004-163-0x0000000006950000-0x0000000006951000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4004-262-0x0000000006953000-0x0000000006954000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4004-238-0x000000007E1C0000-0x000000007E1C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4796-122-0x0000000008E00000-0x0000000008E81000-memory.dmp
    Filesize

    516KB

    Download
  • memory/4796-123-0x0000000001820000-0x000000000185C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4796-121-0x0000000008DE0000-0x0000000008DFB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/4796-120-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4796-125-0x0000000009000000-0x0000000009001000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4796-119-0x0000000005830000-0x0000000005831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4796-118-0x0000000005880000-0x0000000005D7E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4796-114-0x0000000000F10000-0x0000000000F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4796-117-0x0000000005920000-0x0000000005921000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4796-116-0x0000000005D80000-0x0000000005D81000-memory.dmp
    Filesize

    4KB

    Download