Overview

overview

10

Static

static

PO#3459.jpg.exe

windows7_x64

10

PO#3459.jpg.exe

windows10-2004_x64

10

PO#68732.png.exe

windows7_x64

10

PO#68732.png.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO#3459.jpg.exe

  • Size

    703KB

  • MD5

    518090e39e06e5f3efcebcdf9404183d

  • SHA1

    c47e0de5fe58346e3575aab0bbb8af3a638f04c6

  • SHA256

    006e2d9f385a7c4d88299832906bf975a311e61ad24fb8b5b1130a9f308cb8c7

  • SHA512

    ea436927dfd75d312e96cd8afcd7e8e274d31f9c04d72d1742a323a1a65417b59a04fffd720ed4655730b34cfb48d78d4fa37f3f5e0f3652f003e720dc13cb5b

Score
10/10
agentteslaagilenetkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.kaysarplastik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    abdullah123

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 6 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO#3459.jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\PO#3459.jpg.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v lux /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lux.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v lux /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lux.exe"
        3⤵
        • Adds Run key to start application
        PID:2000
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lux.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lux.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1532

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lux.exe
    Filesize

    703KB

    MD5

    518090e39e06e5f3efcebcdf9404183d

    SHA1

    c47e0de5fe58346e3575aab0bbb8af3a638f04c6

    SHA256

    006e2d9f385a7c4d88299832906bf975a311e61ad24fb8b5b1130a9f308cb8c7

    SHA512

    ea436927dfd75d312e96cd8afcd7e8e274d31f9c04d72d1742a323a1a65417b59a04fffd720ed4655730b34cfb48d78d4fa37f3f5e0f3652f003e720dc13cb5b

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lux.exe
    Filesize

    703KB

    MD5

    518090e39e06e5f3efcebcdf9404183d

    SHA1

    c47e0de5fe58346e3575aab0bbb8af3a638f04c6

    SHA256

    006e2d9f385a7c4d88299832906bf975a311e61ad24fb8b5b1130a9f308cb8c7

    SHA512

    ea436927dfd75d312e96cd8afcd7e8e274d31f9c04d72d1742a323a1a65417b59a04fffd720ed4655730b34cfb48d78d4fa37f3f5e0f3652f003e720dc13cb5b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    40KB

    MD5

    91c9ae9c9a17a9db5e08b120e668c74c

    SHA1

    50770954c1ceb0bb6f1d5d3f2de2a0a065773723

    SHA256

    e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f

    SHA512

    ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

    Download Submit
  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\lux.exe
    Filesize

    703KB

    MD5

    518090e39e06e5f3efcebcdf9404183d

    SHA1

    c47e0de5fe58346e3575aab0bbb8af3a638f04c6

    SHA256

    006e2d9f385a7c4d88299832906bf975a311e61ad24fb8b5b1130a9f308cb8c7

    SHA512

    ea436927dfd75d312e96cd8afcd7e8e274d31f9c04d72d1742a323a1a65417b59a04fffd720ed4655730b34cfb48d78d4fa37f3f5e0f3652f003e720dc13cb5b

    Download Submit
  • memory/892-55-0x0000000000580000-0x000000000059E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/892-56-0x00000000005E0000-0x00000000005EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/892-54-0x0000000001220000-0x00000000012D6000-memory.dmp
    Filesize

    728KB

    Download
  • memory/1532-70-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1532-71-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1532-79-0x00000000763B1000-0x00000000763B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1532-78-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1532-67-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1532-68-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1532-76-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1532-73-0x000000000044705E-mapping.dmp
    Download
  • memory/1532-72-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1720-64-0x0000000000620000-0x000000000062A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1720-60-0x0000000000000000-mapping.dmp
    Download
  • memory/1720-63-0x0000000000E50000-0x0000000000F06000-memory.dmp
    Filesize

    728KB

    Download
  • memory/2000-58-0x0000000000000000-mapping.dmp
    Download
  • memory/2044-57-0x0000000000000000-mapping.dmp
    Download