Overview

overview

10

Static

static

dar.exe

windows7_x64

10

dar.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    176s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 00:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dar.exe

  • Size

    535KB

  • MD5

    a34f16774efd878af58828fdbfdc9d90

  • SHA1

    022ea1acccd4bd60b2e4155d38af6492728d9d8f

  • SHA256

    e4d8083ef442c5a9a0daa9bdd5e86b685cdd47a1c233f35393df55aba4acddbb

  • SHA512

    4e54b9f48c5f9faa68d97f8d36c5e1a455725fb8a948f4db5cab82a983df5c03ad7486098c0559a3eaffd4fc916d05aee398013769905f7ef461929a45c122f8

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.sbrenind.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Wiremoney123.

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dar.exe
    "C:\Users\Admin\AppData\Local\Temp\dar.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\neHYJSQZu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AA0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:512
    • C:\Users\Admin\AppData\Local\Temp\dar.exe
      "{path}"
      2⤵
        PID:4696
      • C:\Users\Admin\AppData\Local\Temp\dar.exe
        "{path}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4004

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dar.exe.log
      Filesize

      685B

      MD5

      64f7d1001f1b3c983776387519079574

      SHA1

      9696fb5ffd5597c12fc1ca6bcb7fe889f8cc9c2c

      SHA256

      b7724fa480f240bb6e0131973d0f085d5fb0865677f277a2a306f4fa89c89485

      SHA512

      bf81147d1a43290c845f788fbe633bf0ae8abff31a342b0278e525fdf65bd5294e797b3a11f375027e5b2c42d224459583d5a0e753f563d5034d4d7653d39eba

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\tmp4AA0.tmp
      Filesize

      1KB

      MD5

      216d4b0ded7adbd04d2ee6ab2c17c911

      SHA1

      fb69acce58d3f46f7c44579e7dce991f2d8117b2

      SHA256

      cf960d4d741c101b566c04dc578e8a318507b1a0d73d80203732da2044655df4

      SHA512

      a2e2bb8130eabbdbb381e8c1e45f085ce587ddea7952e977c1f75c5522e81c5610b379625cd822d57f264ac97e58c676e378ce8d8180d0dc0548ecff33a146fa

      Download Submit
    • memory/512-135-0x0000000000000000-mapping.dmp
      Download
    • memory/3048-130-0x0000000000D40000-0x0000000000DCC000-memory.dmp
      Filesize

      560KB

      Download
    • memory/3048-131-0x0000000005E70000-0x0000000006414000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3048-132-0x0000000005770000-0x0000000005802000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3048-133-0x00000000065B0000-0x0000000006736000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3048-134-0x0000000005CF0000-0x0000000005D8C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4004-138-0x0000000000000000-mapping.dmp
      Download
    • memory/4004-139-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4004-141-0x00000000063C0000-0x0000000006426000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4696-137-0x0000000000000000-mapping.dmp
      Download