Overview

overview

10

Static

static

0900080000...00.exe

windows7_x64

10

0900080000...00.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    21-02-2022 23:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    090008000000000000.exe

  • Size

    1.2MB

  • MD5

    4c7fe9c4af3c08960d1490c0ba409694

  • SHA1

    67b090a0aab7e6452d4fba12f2d625e276402096

  • SHA256

    614f64c6f6fb4e6a6bdb91333773972139b112937bff6a22e19c9a5d283b8097

  • SHA512

    a5d70d3958b0979f39d2417cdfb26de1aac81482d48151310fa8cf99ad0d7ddeb83f1812ac611debd7ee052adb7bd109d5828e09a2fd765be2dbf5e35a3889a6

Score
10/10
agentteslamatiexsnakekeyloggercollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Matiex

    Matiex is a keylogger and infostealer first seen in July 2020.

    stealerkeyloggermatiex
  • Matiex Main Payload 5 IoCs
  • Snake Keylogger

    Keylogger and Infostealer first seen in November 2020.

    stealerkeyloggersnakekeylogger
  • AgentTesla Payload 5 IoCs
  • Executes dropped EXE 3 IoCs
  • Drops startup file 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 9 IoCs
    collection
  • Looks up external IP address via web service 6 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 54 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\090008000000000000.exe
    "C:\Users\Admin\AppData\Local\Temp\090008000000000000.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\090008000000000000.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1368
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1704
      • C:\Users\Admin\AppData\Local\Temp\4.0.exe
        "C:\Users\Admin\AppData\Local\Temp\4.0.exe" 0
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3408
      • C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe
        "C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe" 0
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
      • C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe
        "C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe" 0
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3524
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" wlan show profile
          4⤵
            PID:2024
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k NetworkService -p
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:1408
    • C:\Windows\system32\MusNotifyIcon.exe
      %systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 13
      1⤵
      • Checks processor information in registry
      PID:812
    • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
      C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:3768

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\4.0.exe
      MD5

      bd5fe63e3666a489e7a221647f6f3807

      SHA1

      52a8db03aa3db1b9a287688afeffa9f041c3811c

      SHA256

      5a46b373a0a0894870f5a63e52477dbe71e78efe35aa373c30d2edbdf3e35f9e

      SHA512

      631a0ce258d4ae4ab81ca69ff344eb8733e5507b4f88c27f8b7491bed8fe2362f944bbdff51abf3089c03a67149a102cce8989d985e60a9531b77a7f260b90e6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\4.0.exe
      MD5

      bd5fe63e3666a489e7a221647f6f3807

      SHA1

      52a8db03aa3db1b9a287688afeffa9f041c3811c

      SHA256

      5a46b373a0a0894870f5a63e52477dbe71e78efe35aa373c30d2edbdf3e35f9e

      SHA512

      631a0ce258d4ae4ab81ca69ff344eb8733e5507b4f88c27f8b7491bed8fe2362f944bbdff51abf3089c03a67149a102cce8989d985e60a9531b77a7f260b90e6

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe
      MD5

      f615aa95251fc14492843942a588614c

      SHA1

      296669e81c271762d5068f8a9ecbb354ffc335c9

      SHA256

      e0b3bd3f2fadd3ef560c7dc1c13e1f50351e8df61139eb8e6367badf7689e71b

      SHA512

      ad58e4b52132a0c186ff14040bf95cc1c8d65b307c90a6004e1d58e365c91635d998e3259cb5575c79aeb0aed08dd55a827edadfbef7f0ecfbc500dd9b42b6f1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\MATIEX GODISOD 4.0 .exe
      MD5

      f615aa95251fc14492843942a588614c

      SHA1

      296669e81c271762d5068f8a9ecbb354ffc335c9

      SHA256

      e0b3bd3f2fadd3ef560c7dc1c13e1f50351e8df61139eb8e6367badf7689e71b

      SHA512

      ad58e4b52132a0c186ff14040bf95cc1c8d65b307c90a6004e1d58e365c91635d998e3259cb5575c79aeb0aed08dd55a827edadfbef7f0ecfbc500dd9b42b6f1

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe
      MD5

      e33e63bda6a3976ecadfa9ee6f096944

      SHA1

      68b683bb325ae9c21f471593f007c797a02dc497

      SHA256

      c2d3a6b20eb4bc377bf9be955b23615492786be0613373bfc7f440ab872a8142

      SHA512

      91b672e86e30804e7e632d79e78c99ac9a0ee7c8468ad9eecc555f15773bb535d430f0c39efa61d9afdec7bb3f05f97cd18126e6c16eb6b1036e131b8f256142

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\bilgi snake 2021.exe
      MD5

      e33e63bda6a3976ecadfa9ee6f096944

      SHA1

      68b683bb325ae9c21f471593f007c797a02dc497

      SHA256

      c2d3a6b20eb4bc377bf9be955b23615492786be0613373bfc7f440ab872a8142

      SHA512

      91b672e86e30804e7e632d79e78c99ac9a0ee7c8468ad9eecc555f15773bb535d430f0c39efa61d9afdec7bb3f05f97cd18126e6c16eb6b1036e131b8f256142

      Download Submit
    • memory/1368-142-0x00000000075A0000-0x0000000007BC8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/1368-144-0x00000000746FE000-0x00000000746FF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1368-170-0x0000000009500000-0x0000000009596000-memory.dmp
      Filesize

      600KB

      Download
    • memory/1368-141-0x0000000006F30000-0x0000000006F66000-memory.dmp
      Filesize

      216KB

      Download
    • memory/1368-171-0x0000000008950000-0x000000000896A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/1368-143-0x0000000007C40000-0x0000000007C62000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1368-145-0x0000000007DE0000-0x0000000007E46000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1368-172-0x00000000089A0000-0x00000000089C2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1368-147-0x0000000006F20000-0x0000000006F21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1368-148-0x0000000006F22000-0x0000000006F23000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1368-152-0x00000000084E0000-0x00000000084FE000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1368-146-0x0000000007E50000-0x0000000007EB6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1488-165-0x00000000746FE000-0x00000000746FF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1488-160-0x0000000000770000-0x00000000007DA000-memory.dmp
      Filesize

      424KB

      Download
    • memory/1488-174-0x00000000065F0000-0x00000000067B2000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1488-167-0x00000000051B0000-0x00000000051B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1704-149-0x0000000000400000-0x000000000050C000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1704-153-0x0000000000400000-0x000000000050C000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2460-130-0x00000000746FE000-0x00000000746FF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2460-169-0x0000000009570000-0x00000000095AC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/2460-138-0x0000000009430000-0x00000000094CC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2460-137-0x0000000005633000-0x0000000005635000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2460-136-0x0000000008FC0000-0x00000000090CA000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2460-135-0x0000000005480000-0x000000000548A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2460-134-0x0000000005630000-0x0000000005631000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2460-133-0x0000000005490000-0x0000000005522000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2460-132-0x00000000059A0000-0x0000000005F44000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2460-131-0x00000000009B0000-0x0000000000ADC000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3408-156-0x00000000746FE000-0x00000000746FF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3408-164-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3408-157-0x0000000000130000-0x000000000016C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/3408-175-0x0000000006410000-0x0000000006460000-memory.dmp
      Filesize

      320KB

      Download
    • memory/3408-176-0x0000000004BD1000-0x0000000004BD2000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3524-168-0x0000000004CD0000-0x0000000004CD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3524-166-0x00000000746FE000-0x00000000746FF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3524-163-0x00000000002F0000-0x0000000000366000-memory.dmp
      Filesize

      472KB

      Download