Overview

overview

10

Static

static

Copia de pago jpg.exe

windows7_x64

10

Copia de pago jpg.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    27-07-2021 21:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Copia de pago jpg.exe

  • Size

    1.1MB

  • MD5

    38e13fcd219f49d7cca9c8be57ac6ef0

  • SHA1

    637a26e5e069a3262511666304aa07fb3c8cba00

  • SHA256

    0ed4dcb3b64eb9b43a02b433a6232b64196bf369c3b2c50ce5342c8e9f4fdcd3

  • SHA512

    e046dd4a80d171dff6e33e2eb48425a85f42361d597549b75968ee11a9a076367ef8228958ef259d3a90dc44f40159cfe73f9778c70d5d933d2e5b55b589074e

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.palletsolutions.ca
  • Port:
    587
  • Username:
    eloglogs@palletsolutions.ca
  • Password:
    h~Q+QV.(M2?!

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mnhgRVvmyYRiXl.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mnhgRVvmyYRiXl" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAA7E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2132
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mnhgRVvmyYRiXl.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2288
    • C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"
      2⤵
        PID:2292
      • C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe
        "C:\Users\Admin\AppData\Local\Temp\Copia de pago jpg.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:388

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      MD5

      db01a2c1c7e70b2b038edf8ad5ad9826

      SHA1

      540217c647a73bad8d8a79e3a0f3998b5abd199b

      SHA256

      413da361d77055dae7007f82b58b366c8783aa72e0b8fbe41519b940c253b38d

      SHA512

      c76ff57fcee5cdf9fdf3116d4e1dc0cf106867bf19ab474b763e242acf5dca9a7509cb837c35e130c3e056636b4e8a4e135512a978bcd3dd641e20f5bf76c3d6

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      68037de51874570004bbd95ce0c53689

      SHA1

      232bd58fbf4e3b8690b20b2a1dac010ee4b809e4

      SHA256

      d25eb742a28d3319016b0c3d5005e3368e5bd2e77a824a5cc1bf107c1cd67805

      SHA512

      3c89aeb3fde00d9fa23508d1b55126abaca17c8a756c1f759265510b9d48fe145b51eee78d3830837eef534e30219456cdee134c33f9d9accec711e687e45004

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      MD5

      68037de51874570004bbd95ce0c53689

      SHA1

      232bd58fbf4e3b8690b20b2a1dac010ee4b809e4

      SHA256

      d25eb742a28d3319016b0c3d5005e3368e5bd2e77a824a5cc1bf107c1cd67805

      SHA512

      3c89aeb3fde00d9fa23508d1b55126abaca17c8a756c1f759265510b9d48fe145b51eee78d3830837eef534e30219456cdee134c33f9d9accec711e687e45004

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmpAA7E.tmp
      MD5

      458a9b3440c1a72efc5b47d2cbbb5a17

      SHA1

      4585c9734371559e4b6a0d74a646ab0ed0e7a4d9

      SHA256

      d8f0fc3885542c60ec8358639eb98d6fd1ea289cec7348925ab8737feb86707b

      SHA512

      fa1af184a02c8bf0e4236c13cde40fa1bdf4104395eeac1dd5c55000f62b2e75f36b42af4838724a3c3dd0c29f855acf5b08564c7335a34610b1a93ef0f29cac

      Download Submit
    • memory/388-165-0x00000000053E0000-0x00000000053E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/388-890-0x00000000053E1000-0x00000000053E2000-memory.dmp
      Filesize

      4KB

      Download
    • memory/388-148-0x00000000004375EE-mapping.dmp
      Download
    • memory/388-147-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1636-129-0x0000000004880000-0x0000000004881000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-134-0x00000000079E0000-0x00000000079E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-125-0x0000000000000000-mapping.dmp
      Download
    • memory/1636-158-0x00000000048D2000-0x00000000048D3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-156-0x00000000048D0000-0x00000000048D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-130-0x0000000007340000-0x0000000007341000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-235-0x000000007F450000-0x000000007F451000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-153-0x0000000008580000-0x0000000008581000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-132-0x00000000072D0000-0x00000000072D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-166-0x00000000083B0000-0x00000000083B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-136-0x0000000007D10000-0x0000000007D11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-151-0x0000000007A70000-0x0000000007A71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1636-241-0x00000000048D3000-0x00000000048D4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2132-133-0x0000000000000000-mapping.dmp
      Download
    • memory/2288-146-0x0000000000000000-mapping.dmp
      Download
    • memory/2288-291-0x0000000004B03000-0x0000000004B04000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2288-237-0x000000007FC70000-0x000000007FC71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2288-161-0x0000000004B00000-0x0000000004B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2288-164-0x0000000004B02000-0x0000000004B03000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2732-192-0x0000000009860000-0x0000000009893000-memory.dmp
      Filesize

      204KB

      Download
    • memory/2732-217-0x0000000009990000-0x0000000009991000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2732-162-0x0000000007282000-0x0000000007283000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2732-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2732-240-0x0000000007283000-0x0000000007284000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2732-159-0x0000000007280000-0x0000000007281000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2732-232-0x000000007F520000-0x000000007F521000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2732-207-0x0000000009620000-0x0000000009621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3920-124-0x00000000092F0000-0x0000000009329000-memory.dmp
      Filesize

      228KB

      Download
    • memory/3920-114-0x0000000000F10000-0x0000000000F11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3920-123-0x0000000009220000-0x000000000929E000-memory.dmp
      Filesize

      504KB

      Download
    • memory/3920-122-0x00000000091B0000-0x00000000091CB000-memory.dmp
      Filesize

      108KB

      Download
    • memory/3920-126-0x0000000009530000-0x0000000009531000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3920-121-0x0000000005770000-0x000000000580C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3920-120-0x0000000005B00000-0x0000000005B01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3920-119-0x0000000005840000-0x0000000005841000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3920-118-0x00000000059A0000-0x00000000059A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3920-117-0x0000000005E00000-0x0000000005E01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3920-116-0x0000000005860000-0x0000000005861000-memory.dmp
      Filesize

      4KB

      Download