Overview

overview

10

Static

static

10

15becbaa36...1f.exe

windows7_x64

7

15becbaa36...1f.exe

windows10_x64

7

Nuovo ordine .exe

windows7_x64

10

Nuovo ordine .exe

windows10_x64

10

189d5314ce...6e2b44

linux_amd64

189d5314ce...6e2b44

linux_mipsel

189d5314ce...6e2b44

linux_mips

18ccb7df2f...2a.exe

windows7_x64

10

18ccb7df2f...2a.exe

windows10_x64

10

1b11ae98b8...4f.dll

windows7_x64

10

1b11ae98b8...4f.dll

windows10_x64

10

204591aa6d...b8.exe

windows7_x64

10

204591aa6d...b8.exe

windows10_x64

10

2c7540c6d0...ff.exe

windows7_x64

10

2c7540c6d0...ff.exe

windows10_x64

10

2cb4d62827...d9.dll

windows7_x64

10

2cb4d62827...d9.dll

windows10_x64

10

4fd784c26d...49.exe

windows7_x64

10

4fd784c26d...49.exe

windows10_x64

10

553dc4c06c...5f.exe

windows7_x64

10

553dc4c06c...5f.exe

windows10_x64

10

5afed1cccc...2d.dll

windows7_x64

10

5afed1cccc...2d.dll

windows10_x64

10

62742e4698...10.exe

windows7_x64

10

62742e4698...10.exe

windows10_x64

10

6707289e11...1b.exe

windows7_x64

10

6707289e11...1b.exe

windows10_x64

10

69a43a40f0...e5.exe

windows7_x64

10

69a43a40f0...e5.exe

windows10_x64

10

6ca42fe27f...b7.exe

windows7_x64

10

6ca42fe27f...b7.exe

windows10_x64

10

6db4bb653b...97.jar

windows7_x64

3

Analysis

  • max time kernel
    106s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    30-07-2021 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe

  • Size

    887KB

  • MD5

    8edea84854ac21f8a056f647d010fd0d

  • SHA1

    3f328de3b2df09e90ef319fe0dacc7dfb585a831

  • SHA256

    6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7

  • SHA512

    3836df64e8624248e111d30aa1c665e229d24c9fe0877543156e58d932d6ed1b692c61bc9aa1c74b7b2ab33f19d7cfedbda5193d13d5f8478ca77ad998a5b38a

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.vistakencana.com.my
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    m33R3bus!

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe
    "C:\Users\Admin\AppData\Local\Temp\6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1728
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:656
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sELElpWT.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1864
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sELElpWT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8630.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1652
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sELElpWT.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:752
    • C:\Users\Admin\AppData\Local\Temp\6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe
      "C:\Users\Admin\AppData\Local\Temp\6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe"
      2⤵
        PID:1256
      • C:\Users\Admin\AppData\Local\Temp\6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe
        "C:\Users\Admin\AppData\Local\Temp\6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe"
        2⤵
          PID:1680
        • C:\Users\Admin\AppData\Local\Temp\6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe
          "C:\Users\Admin\AppData\Local\Temp\6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe"
          2⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:916

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/656-72-0x0000000004790000-0x0000000004791000-memory.dmp

        Filesize

        4KB

        Download

      • memory/656-70-0x0000000000830000-0x0000000000831000-memory.dmp

        Filesize

        4KB

        Download

      • memory/656-85-0x0000000002030000-0x0000000002C7A000-memory.dmp

        Filesize

        12.3MB

        Download

      • memory/656-92-0x0000000004720000-0x0000000004721000-memory.dmp

        Filesize

        4KB

        Download

      • memory/656-97-0x0000000005660000-0x0000000005661000-memory.dmp

        Filesize

        4KB

        Download

      • memory/656-102-0x0000000006090000-0x0000000006091000-memory.dmp

        Filesize

        4KB

        Download

      • memory/656-103-0x0000000006120000-0x0000000006121000-memory.dmp

        Filesize

        4KB

        Download

      • memory/656-110-0x0000000006280000-0x0000000006281000-memory.dmp

        Filesize

        4KB

        Download

      • memory/656-66-0x0000000075161000-0x0000000075163000-memory.dmp

        Filesize

        8KB

        Download

      • memory/656-133-0x0000000006310000-0x0000000006311000-memory.dmp

        Filesize

        4KB

        Download

      • memory/656-132-0x0000000006300000-0x0000000006301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/656-117-0x00000000055D0000-0x00000000055D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/752-89-0x0000000002510000-0x0000000002511000-memory.dmp

        Filesize

        4KB

        Download

      • memory/752-88-0x0000000004990000-0x0000000004991000-memory.dmp

        Filesize

        4KB

        Download

      • memory/916-78-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/916-81-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/916-86-0x0000000001020000-0x0000000001021000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-59-0x0000000001190000-0x0000000001191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1728-64-0x00000000010E0000-0x0000000001119000-memory.dmp

        Filesize

        228KB

        Download

      • memory/1728-63-0x0000000005420000-0x0000000005493000-memory.dmp

        Filesize

        460KB

        Download

      • memory/1728-62-0x00000000003F0000-0x000000000040B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/1728-61-0x0000000000D60000-0x0000000000D61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1864-87-0x00000000021A0000-0x0000000002DEA000-memory.dmp

        Filesize

        12.3MB

        Download