Overview

overview

10

Static

static

PO#3459.jpg.exe

windows7_x64

10

PO#3459.jpg.exe

windows10-2004_x64

10

PO#68732.png.exe

windows7_x64

10

PO#68732.png.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    20-05-2022 23:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO#68732.png.exe

  • Size

    2.8MB

  • MD5

    8f12c0c6c1854dae382473bfe77019f7

  • SHA1

    44d776b496ba926e48d5b5def8eeaaab6d64feb8

  • SHA256

    7998ac3e684a8b86abc784ecfbce4a23a54166ef3a08d497a0288dc667c6f510

  • SHA512

    53b97b8f079f558dc26422ee9369c01aedc83ed79d5926594a520c9f719ddbba2add6b5e97c844aaf818beac33510d5e4e74ec4eb175e10d52e9404a846a671c

Score
10/10
agentteslamassloggercollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.kaysarplastik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    abdullah123

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.kaysarplastik.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    abdullah123

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 3 IoCs
  • AgentTesla Payload 3 IoCs
  • Executes dropped EXE 4 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO#68732.png.exe
    "C:\Users\Admin\AppData\Local\Temp\PO#68732.png.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2608
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v foxy /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v foxy /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exe"
        3⤵
        • Adds Run key to start application
        PID:3480
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3996
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:4700
        • C:\Users\Admin\AppData\Local\Temp\origiiiy.exe
          "C:\Users\Admin\AppData\Local\Temp\origiiiy.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:4500
        • C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe
          "C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:648
          • C:\Windows\SysWOW64\cmd.exe
            "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe' & exit
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:828
            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
              powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe'
              6⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:840

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe
    Filesize

    760KB

    MD5

    e360b31265999e9d600c2b98ba69ad83

    SHA1

    48060da28268736d572d26ba635c0d52539390d8

    SHA256

    457c0cd53307232f629bcf3a18030d36cc053b6f096e647cf49334630710c1f9

    SHA512

    b2bdd4e8f180c55428bdb698ed79244d69ca4b9b50c9be04f59103a78e763f834586339d59ef9af42dd2e3aacf2d38068cdc7e6a211d12c3c250774c45152b99

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MassLoggerBin.exe
    Filesize

    760KB

    MD5

    e360b31265999e9d600c2b98ba69ad83

    SHA1

    48060da28268736d572d26ba635c0d52539390d8

    SHA256

    457c0cd53307232f629bcf3a18030d36cc053b6f096e647cf49334630710c1f9

    SHA512

    b2bdd4e8f180c55428bdb698ed79244d69ca4b9b50c9be04f59103a78e763f834586339d59ef9af42dd2e3aacf2d38068cdc7e6a211d12c3c250774c45152b99

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\origiiiy.exe
    Filesize

    279KB

    MD5

    f8e56f59f5035e7c8ab16ca9ca382db3

    SHA1

    f4fbca78fe28cf0bd0d38b77f33a7960e94536fe

    SHA256

    e38dd14d76dcca37f9bc11ba99f971087b4880c4ec286efbd577976e0ac38eed

    SHA512

    8125db512042f7bdccc9a70e4e4d80afcaab5a3194e20063fbaaac41768f9ea2ddc03b4f7b3aa13fb7edb948a917e31de353cdf428393cb5ff4dac2274c0b9c0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\origiiiy.exe
    Filesize

    279KB

    MD5

    f8e56f59f5035e7c8ab16ca9ca382db3

    SHA1

    f4fbca78fe28cf0bd0d38b77f33a7960e94536fe

    SHA256

    e38dd14d76dcca37f9bc11ba99f971087b4880c4ec286efbd577976e0ac38eed

    SHA512

    8125db512042f7bdccc9a70e4e4d80afcaab5a3194e20063fbaaac41768f9ea2ddc03b4f7b3aa13fb7edb948a917e31de353cdf428393cb5ff4dac2274c0b9c0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exe
    Filesize

    2.8MB

    MD5

    8f12c0c6c1854dae382473bfe77019f7

    SHA1

    44d776b496ba926e48d5b5def8eeaaab6d64feb8

    SHA256

    7998ac3e684a8b86abc784ecfbce4a23a54166ef3a08d497a0288dc667c6f510

    SHA512

    53b97b8f079f558dc26422ee9369c01aedc83ed79d5926594a520c9f719ddbba2add6b5e97c844aaf818beac33510d5e4e74ec4eb175e10d52e9404a846a671c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\foxy.exe
    Filesize

    2.8MB

    MD5

    8f12c0c6c1854dae382473bfe77019f7

    SHA1

    44d776b496ba926e48d5b5def8eeaaab6d64feb8

    SHA256

    7998ac3e684a8b86abc784ecfbce4a23a54166ef3a08d497a0288dc667c6f510

    SHA512

    53b97b8f079f558dc26422ee9369c01aedc83ed79d5926594a520c9f719ddbba2add6b5e97c844aaf818beac33510d5e4e74ec4eb175e10d52e9404a846a671c

    Download Submit
  • memory/648-152-0x0000000004E40000-0x0000000004EA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/648-151-0x0000000000360000-0x0000000000424000-memory.dmp
    Filesize

    784KB

    Download
  • memory/648-148-0x0000000000000000-mapping.dmp
    Download
  • memory/828-153-0x0000000000000000-mapping.dmp
    Download
  • memory/840-158-0x00000000055B0000-0x0000000005616000-memory.dmp
    Filesize

    408KB

    Download
  • memory/840-159-0x0000000005D80000-0x0000000005D9E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/840-160-0x00000000073A0000-0x0000000007A1A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/840-157-0x0000000004EA0000-0x0000000004EC2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/840-156-0x0000000004F10000-0x0000000005538000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/840-155-0x00000000047E0000-0x0000000004816000-memory.dmp
    Filesize

    216KB

    Download
  • memory/840-161-0x0000000006270000-0x000000000628A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/840-154-0x0000000000000000-mapping.dmp
    Download
  • memory/840-162-0x0000000006DC0000-0x0000000006E56000-memory.dmp
    Filesize

    600KB

    Download
  • memory/840-163-0x0000000006340000-0x0000000006362000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2608-131-0x0000000006560000-0x0000000006B04000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2608-130-0x0000000000C30000-0x0000000000EF8000-memory.dmp
    Filesize

    2.8MB

    Download
  • memory/2608-132-0x0000000006090000-0x0000000006122000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2608-133-0x0000000008110000-0x0000000008154000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3480-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3520-134-0x0000000000000000-mapping.dmp
    Download
  • memory/3996-136-0x0000000000000000-mapping.dmp
    Download
  • memory/4500-147-0x0000000000C60000-0x0000000000CAC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4500-144-0x0000000000000000-mapping.dmp
    Download
  • memory/4500-164-0x0000000006BF0000-0x0000000006C40000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4700-143-0x0000000005630000-0x00000000056CC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4700-140-0x0000000000400000-0x0000000000562000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/4700-139-0x0000000000000000-mapping.dmp
    Download