Overview

overview

10

Static

static

0189603e1f...3f.exe

windows7_x64

10

0189603e1f...3f.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    21-10-2021 05:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0189603e1f23a9b8726e345a4f0f463f.exe

  • Size

    923KB

  • MD5

    0189603e1f23a9b8726e345a4f0f463f

  • SHA1

    415a8a780ad010025e409e33d6a8ad259f605042

  • SHA256

    21e329ad1a25176e7e17f0215f3fb95e723942e30b0f8eb6b478023dd0a36746

  • SHA512

    f8332f923bde2b55888dd1ba2d6460b2f54d5b7699c048546505cff63bd3239339a1cfc06ae70da2bb549db572e0b5c7f2c71b8f5c7ee243ffb0d83f3f67e3e2

Score
10/10
agentteslaasyncratredlinesnakekeyloggerdefaultprofessorcollectiondiscoveryinfostealerkeyloggerratspywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.bursaplastik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    ahm155

Extracted

Family

redline

Botnet

professor

C2

91.92.109.70:9412

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

91.92.109.70:5353

Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • anti_vm

    false

  • bsod

    false

  • delay

    3

  • install

    false

  • install_folder

    %AppData%

  • pastebin_config

    null

aes.plain

Extracted

Family

snakekeylogger

C2

https://api.telegram.org/bot1982610890:AAFCcNp1Tl28ILhhdWKR-lR4Xpa_V1kwvCk/sendMessage?chat_id=860277004

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine Payload 3 IoCs
  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • AgentTesla Payload 3 IoCs
  • Async RAT payload 3 IoCs
    rat
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0189603e1f23a9b8726e345a4f0f463f.exe
    "C:\Users\Admin\AppData\Local\Temp\0189603e1f23a9b8726e345a4f0f463f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1356
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vOUbYWeBQhU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAB9B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1464
    • C:\Users\Admin\AppData\Local\Temp\0189603e1f23a9b8726e345a4f0f463f.exe
      "C:\Users\Admin\AppData\Local\Temp\0189603e1f23a9b8726e345a4f0f463f.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:628
      • C:\Users\Admin\AppData\Local\Temp\shawori4.0.exe
        "C:\Users\Admin\AppData\Local\Temp\shawori4.0.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:1648
      • C:\Users\Admin\AppData\Local\Temp\Doc2.exe
        "C:\Users\Admin\AppData\Local\Temp\Doc2.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:652
      • C:\Users\Admin\AppData\Local\Temp\Doc.exe
        "C:\Users\Admin\AppData\Local\Temp\Doc.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1536
      • C:\Users\Admin\AppData\Local\Temp\shaw snake 4.0.exe
        "C:\Users\Admin\AppData\Local\Temp\shaw snake 4.0.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:540

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    MD5

    ab5c36d10261c173c5896f3478cdc6b7

    SHA1

    87ac53810ad125663519e944bc87ded3979cbee4

    SHA256

    f8e90fb0557fe49d7702cfb506312ac0b24c97802f9c782696db6d47f434e8e9

    SHA512

    e83e4eae44e7a9cbcd267dbfc25a7f4f68b50591e3bbe267324b1f813c9220d565b284994ded5f7d2d371d50e1ebfa647176ec8de9716f754c6b5785c6e897fa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    db3ff029c883f742b71984bf80579b3a

    SHA1

    a97ad8bf00c4672094eb2fdbee4f56d1ce10eb5c

    SHA256

    22e859d00bd7312d1f92f14c0fd4e46ee3542a41a74032750eef156994d51663

    SHA512

    59d17b87557d5e80c5d66c26728fbfc6578c5673e40b442059e2bf59cc5fa741f927e5a32e3e3cad0209b9be2ed1c411f45b4114e2b5a957098509ff1e09799b

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    efe2070d349c670f3755170b762724fc

    SHA1

    f31b3869dbd1223b57ebae30ffb7184032bd2ab0

    SHA256

    cb6146d417214d6100fa7ef7ae65472601dc726d0ae7f9b4f7535a5550aaf444

    SHA512

    b9aed3ad0c2535f176def3a51f1d920e8f69625dd95dd8769e0cc111a4bcd61955e2f1b977205b155c5639bf2cadfcfff905f088d18472dccef1a2df5518df1f

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    MD5

    58b131770905355adb82afce09191f5c

    SHA1

    069e6537e2805be99f536cde83d5d52dada1b2e4

    SHA256

    ac8a795d9a10cf8637ce80f8adb5e1ded9c16af0a4a9fef7df9e4772bade3dc8

    SHA512

    c23ae4e765ec8e92b019c3c0e7e83ee84df98e3980669a6c4f4fd41d23b6fdadce4921a36c90c46964a1b4052c2e8cc10431adfd9a752db424dc93f237ea34d4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Doc.exe
    MD5

    ff911b01de9c67664cbeebf071651d9b

    SHA1

    a4965610cb6f0a28f29d64977c1535a80ff78792

    SHA256

    75958183900ca3ae5e707883fac463595f5b9faf79ebe14166987abceacd91a9

    SHA512

    bbe15c5e94e89c138503e6790cf186ee7e854e78a4f5c7c743bead341eeb23468e04fbbaf5f6c642f3409e32d62e6ac525548b97f05c67b18150a470b98e238c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Doc.exe
    MD5

    ff911b01de9c67664cbeebf071651d9b

    SHA1

    a4965610cb6f0a28f29d64977c1535a80ff78792

    SHA256

    75958183900ca3ae5e707883fac463595f5b9faf79ebe14166987abceacd91a9

    SHA512

    bbe15c5e94e89c138503e6790cf186ee7e854e78a4f5c7c743bead341eeb23468e04fbbaf5f6c642f3409e32d62e6ac525548b97f05c67b18150a470b98e238c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Doc2.exe
    MD5

    f824b1597b0746ebeee1679d0b5dcc20

    SHA1

    00f489e1ccf525375e65fa8b7f5e2c3e805af195

    SHA256

    69cccd5a3c14567765d9ab3c826dbf37c3a82c8c477e3070460c8eb7935dd3f8

    SHA512

    43507337e82242141499a9b987303c1dbcffb9c7674dedd92317c7fe519a615db9b836f0367706a043861635e9305f220dbb4a6781cd34e75ef95469995da057

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Doc2.exe
    MD5

    f824b1597b0746ebeee1679d0b5dcc20

    SHA1

    00f489e1ccf525375e65fa8b7f5e2c3e805af195

    SHA256

    69cccd5a3c14567765d9ab3c826dbf37c3a82c8c477e3070460c8eb7935dd3f8

    SHA512

    43507337e82242141499a9b987303c1dbcffb9c7674dedd92317c7fe519a615db9b836f0367706a043861635e9305f220dbb4a6781cd34e75ef95469995da057

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\shaw snake 4.0.exe
    MD5

    00bbb41ac9e00544de16a8328c0fc897

    SHA1

    b4fcda6c599ed90229094df77d3b4c5eb2e73c94

    SHA256

    01f13fca1b5e671d54999a10a6081e51fae1b37e907a29d800241202f69a196b

    SHA512

    30ac40ace33d6b2693fb9f8910d3b5bf656fb2974551bed20982f2d0a8cb834cdb2a1246fce736371e1f76f0d4a10a8549d41ddd4940f2aef60548de54fadfcb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\shaw snake 4.0.exe
    MD5

    00bbb41ac9e00544de16a8328c0fc897

    SHA1

    b4fcda6c599ed90229094df77d3b4c5eb2e73c94

    SHA256

    01f13fca1b5e671d54999a10a6081e51fae1b37e907a29d800241202f69a196b

    SHA512

    30ac40ace33d6b2693fb9f8910d3b5bf656fb2974551bed20982f2d0a8cb834cdb2a1246fce736371e1f76f0d4a10a8549d41ddd4940f2aef60548de54fadfcb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\shawori4.0.exe
    MD5

    b2d8b1dbac147077cae57ee37de6f696

    SHA1

    b288a5e3602d7ae8dc36dd599a96db18505ea34b

    SHA256

    38cef761a233c69139074ba5366dbadba96a30035d29bd684fd985f3ea903fcd

    SHA512

    546c7e49a40fde647045c5af19a6761c79ae92377f3802c72c4491ab290f49dfba10fd6d44d9b38fda00860a9e6ec6ab79ad61fbee2d3cb3aeacc0a7a663f3ba

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\shawori4.0.exe
    MD5

    b2d8b1dbac147077cae57ee37de6f696

    SHA1

    b288a5e3602d7ae8dc36dd599a96db18505ea34b

    SHA256

    38cef761a233c69139074ba5366dbadba96a30035d29bd684fd985f3ea903fcd

    SHA512

    546c7e49a40fde647045c5af19a6761c79ae92377f3802c72c4491ab290f49dfba10fd6d44d9b38fda00860a9e6ec6ab79ad61fbee2d3cb3aeacc0a7a663f3ba

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Doc.exe
    MD5

    ff911b01de9c67664cbeebf071651d9b

    SHA1

    a4965610cb6f0a28f29d64977c1535a80ff78792

    SHA256

    75958183900ca3ae5e707883fac463595f5b9faf79ebe14166987abceacd91a9

    SHA512

    bbe15c5e94e89c138503e6790cf186ee7e854e78a4f5c7c743bead341eeb23468e04fbbaf5f6c642f3409e32d62e6ac525548b97f05c67b18150a470b98e238c

    Download Submit
  • \Users\Admin\AppData\Local\Temp\Doc2.exe
    MD5

    f824b1597b0746ebeee1679d0b5dcc20

    SHA1

    00f489e1ccf525375e65fa8b7f5e2c3e805af195

    SHA256

    69cccd5a3c14567765d9ab3c826dbf37c3a82c8c477e3070460c8eb7935dd3f8

    SHA512

    43507337e82242141499a9b987303c1dbcffb9c7674dedd92317c7fe519a615db9b836f0367706a043861635e9305f220dbb4a6781cd34e75ef95469995da057

    Download Submit
  • \Users\Admin\AppData\Local\Temp\shaw snake 4.0.exe
    MD5

    00bbb41ac9e00544de16a8328c0fc897

    SHA1

    b4fcda6c599ed90229094df77d3b4c5eb2e73c94

    SHA256

    01f13fca1b5e671d54999a10a6081e51fae1b37e907a29d800241202f69a196b

    SHA512

    30ac40ace33d6b2693fb9f8910d3b5bf656fb2974551bed20982f2d0a8cb834cdb2a1246fce736371e1f76f0d4a10a8549d41ddd4940f2aef60548de54fadfcb

    Download Submit
  • \Users\Admin\AppData\Local\Temp\shawori4.0.exe
    MD5

    b2d8b1dbac147077cae57ee37de6f696

    SHA1

    b288a5e3602d7ae8dc36dd599a96db18505ea34b

    SHA256

    38cef761a233c69139074ba5366dbadba96a30035d29bd684fd985f3ea903fcd

    SHA512

    546c7e49a40fde647045c5af19a6761c79ae92377f3802c72c4491ab290f49dfba10fd6d44d9b38fda00860a9e6ec6ab79ad61fbee2d3cb3aeacc0a7a663f3ba

    Download Submit
  • memory/540-87-0x0000000000000000-mapping.dmp
    Download
  • memory/540-95-0x0000000004970000-0x0000000004971000-memory.dmp
    Filesize

    4KB

    Download
  • memory/540-93-0x00000000009E0000-0x00000000009E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/628-82-0x0000000004B60000-0x0000000004B61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/628-62-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/628-61-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/628-63-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/628-64-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/628-65-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/628-66-0x00000000004AA63E-mapping.dmp
    Download
  • memory/628-67-0x0000000000400000-0x00000000004B0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/652-81-0x0000000000BB0000-0x0000000000BB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/652-75-0x0000000000000000-mapping.dmp
    Download
  • memory/652-96-0x00000000005C0000-0x00000000005C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1356-56-0x0000000076A81000-0x0000000076A83000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1356-57-0x0000000002200000-0x0000000002201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1356-58-0x00000000004B0000-0x00000000004B7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1356-59-0x0000000006130000-0x00000000061FE000-memory.dmp
    Filesize

    824KB

    Download
  • memory/1356-54-0x00000000008F0000-0x00000000008F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1464-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1536-98-0x0000000001070000-0x0000000001071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1536-79-0x0000000000000000-mapping.dmp
    Download
  • memory/1536-101-0x0000000004D50000-0x0000000004DC9000-memory.dmp
    Filesize

    484KB

    Download
  • memory/1536-91-0x00000000011B0000-0x00000000011B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1536-104-0x0000000000490000-0x0000000000494000-memory.dmp
    Filesize

    16KB

    Download
  • memory/1536-105-0x0000000005770000-0x00000000057FD000-memory.dmp
    Filesize

    564KB

    Download
  • memory/1536-106-0x0000000005CD0000-0x0000000005D29000-memory.dmp
    Filesize

    356KB

    Download
  • memory/1648-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1648-74-0x0000000000D30000-0x0000000000D31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1648-84-0x00000000049C0000-0x00000000049C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1648-107-0x00000000049C1000-0x00000000049C2000-memory.dmp
    Filesize

    4KB

    Download