Overview

overview

10

Static

static

yUJ6pfrBT92ChKS.exe

windows7_x64

10

yUJ6pfrBT92ChKS.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 00:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yUJ6pfrBT92ChKS.exe

  • Size

    529KB

  • MD5

    8c32f596fbd2f52b34d1c891a0559493

  • SHA1

    67b0750eef95d840137b274a0c486c7cb63a0601

  • SHA256

    25387e5ca0782bee6e0d9aa279453187cbee9d86bfa0fca6246725ff20f45f92

  • SHA512

    9b627e1377bb4ef33de88ab2ab62de22222f53e625793cdff218526afe78e105b140fc997de06639a26b85fc57852a0d3fcd7481ae4d838a42cc5b1dbb7625c0

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.rajalakshmi.co.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    009_DESign1*

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 6 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\yUJ6pfrBT92ChKS.exe
    "C:\Users\Admin\AppData\Local\Temp\yUJ6pfrBT92ChKS.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1276
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\loggsPtbbRAy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAC76.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:912
    • C:\Users\Admin\AppData\Local\Temp\yUJ6pfrBT92ChKS.exe
      "{path}"
      2⤵
        PID:1072
      • C:\Users\Admin\AppData\Local\Temp\yUJ6pfrBT92ChKS.exe
        "{path}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1824

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Virtualization/Sandbox Evasion

    2
    T1497

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Virtualization/Sandbox Evasion

    2
    T1497

    System Information Discovery

    3
    T1082

    Peripheral Device Discovery

    1
    T1120

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpAC76.tmp
      Filesize

      1KB

      MD5

      3c81a2d51b35176bfb201d31d7877256

      SHA1

      53b326fdbec6aeaa2da37eb5ca0919d3c161107a

      SHA256

      657f16a6e7eb78dc0f6ab6bcc776d226c1e8995a9ae3e07453dfb889e5b7747f

      SHA512

      814de2e71788dabb4a410250dc0f7dbe8d4d7d8397bff674c01c326e080166501860285a7834f4c2cb68279198d8983e81a031bc9c7fcef68ceee1ab3b6e387d

      Download Submit
    • memory/912-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1276-57-0x0000000002120000-0x0000000002186000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1276-54-0x0000000000C40000-0x0000000000CCA000-memory.dmp
      Filesize

      552KB

      Download
    • memory/1276-58-0x00000000003D0000-0x000000000041E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1276-56-0x00000000004E0000-0x00000000004F0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1276-55-0x00000000756E1000-0x00000000756E3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1824-61-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1824-62-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1824-64-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1824-65-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1824-67-0x00000000004491EE-mapping.dmp
      Download
    • memory/1824-66-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1824-69-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download
    • memory/1824-71-0x0000000000400000-0x000000000044E000-memory.dmp
      Filesize

      312KB

      Download