agenttesla | ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809

General

Target

ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
Size

994KB
MD5

3f6f7c01dc86ddaabade6d6665967c0a
SHA1

c5f2111e8d89127036f2c87fc799a1721ba0952c
SHA256

ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809
SHA512

7955073b51e1d4d55b2b58e66485f6d2dbf69786eb537274705a00864e19da63fd559640e340826e0e7e62250eccf987f66df7938ca53563a01cd14946e3bd94

Score

10^/10

agenttesla nanocore agilenet collection evasion keylogger persistence spyware stealer trojan

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp
Host:
smtp.privateemail.com
Port:
587
Username:
[email protected]
Password:
office12#

Extracted

Family

nanocore

Version

1.2.2.0

C2

185.140.53.52:4488

Mutex

4457cc23-84d1-4515-bdf3-bc83fe8472db

Attributes

activate_away_mode
true
backup_connection_host
backup_dns_server
8.8.4.4
buffer_size
65535
build_time
2021-07-08T12:51:02.136438436Z
bypass_user_account_control
false
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
clear_access_control
true
clear_zone_identifier
false
connect_delay
4000
connection_port
4488
default_group
EXPO
enable_debug_mode
true
gc_threshold
1.048576e+07
keep_alive_timeout
30000
keyboard_logging
false
lan_timeout
2500
max_packet_size
1.048576e+07
mutex
4457cc23-84d1-4515-bdf3-bc83fe8472db
mutex_timeout
5000
prevent_system_sleep
false
primary_connection_host
185.140.53.52
primary_dns_server
8.8.8.8
request_elevation
true
restart_delay
5000
run_delay
0
run_on_startup
false
set_critical_process
true
timeout_interval
5000
use_custom_dns_server
false
version
1.2.2.0
wan_timeout
8000

Signatures

AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
keylogger trojan stealer spyware agenttesla
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
keylogger trojan stealer spyware nanocore

AgentTesla Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ammero.exe	family_agenttesla
C:\Users\Admin\AppData\Roaming\ammero.exe	family_agenttesla

Executes dropped EXE 3 IoCs

Processes:

expooo.exeammero.exeInstallUtil.exe

pid process

1756 expooo.exe
772 ammero.exe
1172 InstallUtil.exe

pid	process
1756	expooo.exe
772	ammero.exe
1172	InstallUtil.exe

Obfuscated with Agile.Net obfuscator 3 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2160-121-0x0000000005A90000-0x0000000005AB1000-memory.dmp	agile_net
behavioral1/memory/2160-126-0x00000000055C0000-0x0000000005ABE000-memory.dmp	agile_net
behavioral1/memory/1756-138-0x0000000004EF0000-0x00000000053EE000-memory.dmp	agile_net

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

Processes:

ammero.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ammero.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ammero.exe
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ammero.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

InstallUtil.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe"	InstallUtil.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\expooo = "C:\\Users\\Admin\\AppData\\Roaming\\expooo.exe"	reg.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

InstallUtil.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA InstallUtil.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

expooo.exe

description pid process target process

PID 1756 set thread context of 1172 1756 expooo.exe InstallUtil.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	InstallUtil.exe

description	pid	process	target process
PID 1756 set thread context of 1172	1756	expooo.exe	InstallUtil.exe

Drops file in Program Files directory 2 IoCs

Processes:

InstallUtil.exe

description	ioc	process
File created	C:\Program Files (x86)\SCSI Service\scsisvc.exe	InstallUtil.exe
File opened for modification	C:\Program Files (x86)\SCSI Service\scsisvc.exe	InstallUtil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exeschtasks.exe

pid process

4012 schtasks.exe
2020 schtasks.exe

pid	process
4012	schtasks.exe
2020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exeexpooo.exeammero.exeInstallUtil.exe

pid	process
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
1756	expooo.exe
1756	expooo.exe
772	ammero.exe
772	ammero.exe
1172	InstallUtil.exe
1172	InstallUtil.exe
1172	InstallUtil.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

InstallUtil.exe

pid process

1172 InstallUtil.exe

pid	process
1172	InstallUtil.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exeexpooo.exeammero.exeInstallUtil.exe

description	pid	process
Token: SeDebugPrivilege	2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
Token: SeDebugPrivilege	1756	expooo.exe
Token: SeDebugPrivilege	772	ammero.exe
Token: SeDebugPrivilege	1172	InstallUtil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

ammero.exe

pid process

772 ammero.exe

pid	process
772	ammero.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.execmd.exeexpooo.exeInstallUtil.exe

description	pid	process	target process
PID 2160 wrote to memory of 3436	2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe	cmd.exe
PID 2160 wrote to memory of 3436	2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe	cmd.exe
PID 2160 wrote to memory of 3436	2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe	cmd.exe
PID 3436 wrote to memory of 1540	3436	cmd.exe	reg.exe
PID 3436 wrote to memory of 1540	3436	cmd.exe	reg.exe
PID 3436 wrote to memory of 1540	3436	cmd.exe	reg.exe
PID 2160 wrote to memory of 1756	2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe	expooo.exe
PID 2160 wrote to memory of 1756	2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe	expooo.exe
PID 2160 wrote to memory of 1756	2160	ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe	expooo.exe
PID 1756 wrote to memory of 772	1756	expooo.exe	ammero.exe
PID 1756 wrote to memory of 772	1756	expooo.exe	ammero.exe
PID 1756 wrote to memory of 772	1756	expooo.exe	ammero.exe
PID 1756 wrote to memory of 1172	1756	expooo.exe	InstallUtil.exe
PID 1756 wrote to memory of 1172	1756	expooo.exe	InstallUtil.exe
PID 1756 wrote to memory of 1172	1756	expooo.exe	InstallUtil.exe
PID 1756 wrote to memory of 1172	1756	expooo.exe	InstallUtil.exe
PID 1756 wrote to memory of 1172	1756	expooo.exe	InstallUtil.exe
PID 1756 wrote to memory of 1172	1756	expooo.exe	InstallUtil.exe
PID 1756 wrote to memory of 1172	1756	expooo.exe	InstallUtil.exe
PID 1756 wrote to memory of 1172	1756	expooo.exe	InstallUtil.exe
PID 1172 wrote to memory of 4012	1172	InstallUtil.exe	schtasks.exe
PID 1172 wrote to memory of 4012	1172	InstallUtil.exe	schtasks.exe
PID 1172 wrote to memory of 4012	1172	InstallUtil.exe	schtasks.exe
PID 1172 wrote to memory of 2020	1172	InstallUtil.exe	schtasks.exe
PID 1172 wrote to memory of 2020	1172	InstallUtil.exe	schtasks.exe
PID 1172 wrote to memory of 2020	1172	InstallUtil.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

ammero.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ammero.exe

outlook_win_path 1 IoCs

Processes:

ammero.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	ammero.exe

C:\Users\Admin\AppData\Local\Temp\ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe
"C:\Users\Admin\AppData\Local\Temp\ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "expooo" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\expooo.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "expooo" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\expooo.exe"
    3⤵
    - Adds Run key to start application
    PID:1540
- C:\Users\Admin\AppData\Roaming\expooo.exe
  "C:\Users\Admin\AppData\Roaming\expooo.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Users\Admin\AppData\Roaming\ammero.exe
    "C:\Users\Admin\AppData\Roaming\ammero.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:772
- - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1172
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp91CC.tmp"
      4⤵
      Creates scheduled task(s)
      PID:4012
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /create /f /tn "SCSI Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp9279.tmp"
      4⤵
      Creates scheduled task(s)
      PID:2020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5
91c9ae9c9a17a9db5e08b120e668c74c

SHA1
50770954c1ceb0bb6f1d5d3f2de2a0a065773723

SHA256
e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

SHA512
ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp91CC.tmp

MD5
f7eb19c49b51cdff67a25c6876a78241

SHA1
6d86be501c2fb57b50292a55d3983b7eee8a688d

SHA256
c9dab73a0044021d2acbc3952b19dea98cdfd838afc633197bd1bd12d2562fba

SHA512
1e94e363f9d4d0dcdfe0a8457642fcfe4f81dff0b39f1d1f00deab9291e133cd40b48c097dfe52c356d4a15c383e0aa08fae28b136937bcc57d5e01861716740

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9279.tmp

MD5
4e71faa3a77029484cfaba423d96618f

SHA1
9c837d050bb43d69dc608af809c292e13bca4718

SHA256
c470f45efd2e7c4c5b88534a18965a78dce0f8e154d3e45a9d5569ad0e334bdb

SHA512
6d014de41352f2b0b494d94cd58188791e81d4e53578d0722110b6827793b735e19c614877f25c61b26233dea1b5f1998ba1240bdc8fa04c87b7e64a4ca15fe0

Download Submit
C:\Users\Admin\AppData\Roaming\ammero.exe

MD5
605e939e44cd9b02c55ce0a09019ad47

SHA1
9ac8ff474631ed0c3d27a7290979b4880b9784f6

SHA256
5ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589

SHA512
5196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d

Download Submit
C:\Users\Admin\AppData\Roaming\ammero.exe

MD5
605e939e44cd9b02c55ce0a09019ad47

SHA1
9ac8ff474631ed0c3d27a7290979b4880b9784f6

SHA256
5ab99263d0101e00809c2fe1f068bbcb601208c3fb0efd753b36169a3a69c589

SHA512
5196b9b698a71dc4510a57acabaee22ec2cd3f35c7c82c0ccbc00673ee97b471019a79e4cdb1ec6b5765ef70f1b5aebc19f56b0fa6a9932844c8ae07ba8b2b9d

Download Submit
C:\Users\Admin\AppData\Roaming\expooo.exe

MD5
3f6f7c01dc86ddaabade6d6665967c0a

SHA1
c5f2111e8d89127036f2c87fc799a1721ba0952c

SHA256
ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809

SHA512
7955073b51e1d4d55b2b58e66485f6d2dbf69786eb537274705a00864e19da63fd559640e340826e0e7e62250eccf987f66df7938ca53563a01cd14946e3bd94

Download Submit
C:\Users\Admin\AppData\Roaming\expooo.exe

MD5
3f6f7c01dc86ddaabade6d6665967c0a

SHA1
c5f2111e8d89127036f2c87fc799a1721ba0952c

SHA256
ee9255119e7137141de1028b5a8e5ee7ab849ff4f49aa70c1062e47b65f62809

SHA512
7955073b51e1d4d55b2b58e66485f6d2dbf69786eb537274705a00864e19da63fd559640e340826e0e7e62250eccf987f66df7938ca53563a01cd14946e3bd94

Download Submit
memory/772-144-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/772-149-0x00000000054E0000-0x00000000059DE000-memory.dmp

Filesize
5.0MB

Download
memory/772-140-0x0000000000000000-mapping.dmp

Download
memory/772-168-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/772-171-0x00000000054E0000-0x00000000059DE000-memory.dmp

Filesize
5.0MB

Download
memory/1172-165-0x0000000005950000-0x0000000005955000-memory.dmp

Filesize
20KB

Download
memory/1172-151-0x000000000041E792-mapping.dmp

Download
memory/1172-150-0x0000000000400000-0x0000000000438000-memory.dmp

Filesize
224KB

Download
memory/1172-159-0x0000000003330000-0x0000000003331000-memory.dmp

Filesize
4KB

Download
memory/1172-160-0x0000000005800000-0x0000000005CFE000-memory.dmp

Filesize
5.0MB

Download
memory/1172-166-0x0000000005960000-0x0000000005979000-memory.dmp

Filesize
100KB

Download
memory/1172-167-0x0000000005CF0000-0x0000000005CF3000-memory.dmp

Filesize
12KB

Download
memory/1540-125-0x0000000000000000-mapping.dmp

Download
memory/1756-142-0x0000000007140000-0x000000000714B000-memory.dmp

Filesize
44KB

Download
memory/1756-138-0x0000000004EF0000-0x00000000053EE000-memory.dmp

Filesize
5.0MB

Download
memory/1756-139-0x0000000004EF0000-0x00000000053EE000-memory.dmp

Filesize
5.0MB

Download
memory/1756-127-0x0000000000000000-mapping.dmp

Download
memory/1756-147-0x0000000009760000-0x0000000009761000-memory.dmp

Filesize
4KB

Download
memory/2020-163-0x0000000000000000-mapping.dmp

Download
memory/2160-121-0x0000000005A90000-0x0000000005AB1000-memory.dmp

Filesize
132KB

Download
memory/2160-123-0x0000000006720000-0x0000000006721000-memory.dmp

Filesize
4KB

Download
memory/2160-115-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/2160-122-0x0000000006760000-0x0000000006761000-memory.dmp

Filesize
4KB

Download
memory/2160-126-0x00000000055C0000-0x0000000005ABE000-memory.dmp

Filesize
5.0MB

Download
memory/2160-120-0x00000000055C0000-0x0000000005ABE000-memory.dmp

Filesize
5.0MB

Download
memory/2160-119-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/2160-118-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/2160-117-0x0000000005AC0000-0x0000000005AC1000-memory.dmp

Filesize
4KB

Download
memory/3436-124-0x0000000000000000-mapping.dmp

Download
memory/4012-161-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads