Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
21-01-2022 18:34
Static task
static1
Behavioral task
behavioral1
Sample
vbc.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
vbc.exe
Resource
win10-en-20211208
General
-
Target
vbc.exe
-
Size
193KB
-
MD5
b2b0d367777c10ea84ddd200e494fafb
-
SHA1
1c263867f142e10910d6c25274ba2b45115becee
-
SHA256
45e4a0928b9a955dd791cee03ff5157f2eb31d465ba24deb1d40f102f54a3e4a
-
SHA512
e4cabfefa77a9ff1686fd717c8b045d24e6167ea421e3e2a4ec5977491592711e9defc9d5ca4925f32c8449bd9428eb6684957a7eee28227e4d3431674b81ad1
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5013020608:AAFu_btAZRcQ9V-SvEIxL9rCbb_x1A-9IJo/sendDocument
Extracted
lokibot
http://tootoo.ga/webxpo/gate.php
http://kbfvzoboss.bid/alien/fre.php
http://alphastand.trade/alien/fre.php
http://alphastand.win/alien/fre.php
http://alphastand.top/alien/fre.php
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/792-72-0x0000000000400000-0x000000000069B000-memory.dmp family_agenttesla behavioral1/memory/792-73-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
Sknnestes9.exepid process 1972 Sknnestes9.exe -
Checks QEMU agent file 2 TTPs 4 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
Processes:
vbc.execaspol.exeSknnestes9.exeSknnestes9.exedescription ioc process File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe vbc.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe caspol.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Sknnestes9.exe File opened (read-only) C:\Program Files\Qemu-ga\qemu-ga.exe Sknnestes9.exe -
Loads dropped DLL 3 IoCs
Processes:
caspol.exeSknnestes9.exepid process 792 caspol.exe 792 caspol.exe 676 Sknnestes9.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
Processes:
caspol.exeSknnestes9.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook Sknnestes9.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook Sknnestes9.exe Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook Sknnestes9.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 3 IoCs
Processes:
caspol.exeSknnestes9.exepid process 792 caspol.exe 676 Sknnestes9.exe 676 Sknnestes9.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
Processes:
vbc.execaspol.exeSknnestes9.exeSknnestes9.exepid process 832 vbc.exe 792 caspol.exe 1972 Sknnestes9.exe 676 Sknnestes9.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
vbc.exeSknnestes9.exedescription pid process target process PID 832 set thread context of 792 832 vbc.exe caspol.exe PID 1972 set thread context of 676 1972 Sknnestes9.exe Sknnestes9.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
caspol.exepid process 792 caspol.exe 792 caspol.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
vbc.exeSknnestes9.exepid process 832 vbc.exe 1972 Sknnestes9.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
caspol.exeSknnestes9.exedescription pid process Token: SeDebugPrivilege 792 caspol.exe Token: SeDebugPrivilege 676 Sknnestes9.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
vbc.exeSknnestes9.exepid process 832 vbc.exe 1972 Sknnestes9.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
vbc.execaspol.exeSknnestes9.exedescription pid process target process PID 832 wrote to memory of 792 832 vbc.exe caspol.exe PID 832 wrote to memory of 792 832 vbc.exe caspol.exe PID 832 wrote to memory of 792 832 vbc.exe caspol.exe PID 832 wrote to memory of 792 832 vbc.exe caspol.exe PID 832 wrote to memory of 792 832 vbc.exe caspol.exe PID 792 wrote to memory of 1972 792 caspol.exe Sknnestes9.exe PID 792 wrote to memory of 1972 792 caspol.exe Sknnestes9.exe PID 792 wrote to memory of 1972 792 caspol.exe Sknnestes9.exe PID 792 wrote to memory of 1972 792 caspol.exe Sknnestes9.exe PID 1972 wrote to memory of 676 1972 Sknnestes9.exe Sknnestes9.exe PID 1972 wrote to memory of 676 1972 Sknnestes9.exe Sknnestes9.exe PID 1972 wrote to memory of 676 1972 Sknnestes9.exe Sknnestes9.exe PID 1972 wrote to memory of 676 1972 Sknnestes9.exe Sknnestes9.exe PID 1972 wrote to memory of 676 1972 Sknnestes9.exe Sknnestes9.exe -
outlook_office_path 1 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe -
outlook_win_path 1 IoCs
Processes:
caspol.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3846991908-3261386348-1409841751-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 caspol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"2⤵
- Checks QEMU agent file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Users\Admin\AppData\Roaming\Sknnestes9.exe"C:\Users\Admin\AppData\Roaming\Sknnestes9.exe"3⤵
- Executes dropped EXE
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Sknnestes9.exe"C:\Users\Admin\AppData\Roaming\Sknnestes9.exe"4⤵
- Checks QEMU agent file
- Loads dropped DLL
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\oWd6XQZBhARVHwO1QZW240MD5
f97264a5d29376aadd091cb8880bf4e4
SHA11641d112c7f0f31ccff1b9ccab6222d245642e27
SHA2565bd919690a6400c82da06969c65988a748945cbf3fd6f4ed803884ba516e4bd2
SHA5126badc1c7bd2b5dad04ff809f0ea6e3a590a777fcaef4750e873bdaea24afd9ce4cc5e1190811632c12f9d6a5cfd67e0b449060fd1811bd55e8863f3a5620b0e2
-
C:\Users\Admin\AppData\Roaming\Sknnestes9.exeMD5
7e8effc999bf0c37467eb143ab1a693b
SHA13c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9
SHA256a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb
SHA5122f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7
-
C:\Users\Admin\AppData\Roaming\Sknnestes9.exeMD5
7e8effc999bf0c37467eb143ab1a693b
SHA13c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9
SHA256a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb
SHA5122f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7
-
C:\Users\Admin\AppData\Roaming\Sknnestes9.exeMD5
7e8effc999bf0c37467eb143ab1a693b
SHA13c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9
SHA256a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb
SHA5122f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7
-
\Users\Admin\AppData\Roaming\Sknnestes9.exeMD5
7e8effc999bf0c37467eb143ab1a693b
SHA13c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9
SHA256a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb
SHA5122f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7
-
\Users\Admin\AppData\Roaming\Sknnestes9.exeMD5
7e8effc999bf0c37467eb143ab1a693b
SHA13c25794cd6f6693ccd2b29e3b8e89cbbde4d3fa9
SHA256a7dcf8734b58bf1c06d4de3c2478d95087c57a411466f760701050b612173cbb
SHA5122f37902c0249f0e70fbe439f43850712bd2a3b7fafc4fa0d0bccbe69f906aa4994ad68298c05dd896a87916f29279c8b5372c8b3f9d968ac4a718a9f376790d7
-
memory/676-90-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/676-85-0x00000000001B0000-0x0000000000380000-memory.dmpFilesize
1.8MB
-
memory/676-84-0x0000000000400000-0x0000000001462000-memory.dmpFilesize
16.4MB
-
memory/676-89-0x00000000777F0000-0x0000000077970000-memory.dmpFilesize
1.5MB
-
memory/676-88-0x0000000077610000-0x00000000777B9000-memory.dmpFilesize
1.7MB
-
memory/792-65-0x0000000077610000-0x00000000777B9000-memory.dmpFilesize
1.7MB
-
memory/792-75-0x000000001FEB0000-0x000000001FEB1000-memory.dmpFilesize
4KB
-
memory/792-91-0x000000001FEB1000-0x000000001FEB2000-memory.dmpFilesize
4KB
-
memory/792-73-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/792-72-0x0000000000400000-0x000000000069B000-memory.dmpFilesize
2.6MB
-
memory/792-62-0x0000000000230000-0x0000000000330000-memory.dmpFilesize
1024KB
-
memory/832-56-0x0000000000310000-0x0000000000337000-memory.dmpFilesize
156KB
-
memory/832-60-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/832-59-0x00000000777F0000-0x0000000077970000-memory.dmpFilesize
1.5MB
-
memory/832-58-0x0000000077610000-0x00000000777B9000-memory.dmpFilesize
1.7MB
-
memory/1972-74-0x0000000000250000-0x0000000000277000-memory.dmpFilesize
156KB
-
memory/1972-83-0x00000000777F0000-0x0000000077970000-memory.dmpFilesize
1.5MB
-
memory/1972-79-0x00000000777F0000-0x0000000077970000-memory.dmpFilesize
1.5MB
-
memory/1972-77-0x0000000077610000-0x00000000777B9000-memory.dmpFilesize
1.7MB