Overview

overview

10

Static

static

OJZVQGRB.exe

windows7_x64

10

OJZVQGRB.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    72s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    OJZVQGRB.exe

  • Size

    457KB

  • MD5

    9176cc3a2b72f6ddc6ca7ca9f0408c8b

  • SHA1

    5db086b22bb97d2e373f31b791ff0930bd82cb69

  • SHA256

    a6584d03c245b4cebded9264308da12b97193ad6ae195636d9f447b6c4ce7698

  • SHA512

    d4dae7fe898e4f7883153ee25cd1c3dc1bb57fbe04f1536d9c49169ccef119ad6865498c8c0737ccc2fee67690c53f452622d1bf95d8fdef3e5f5b22f3c82815

Score
10/10
agentteslacollectionevasionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.samudrapanel.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    weslali234

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 6 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\OJZVQGRB.exe
    "C:\Users\Admin\AppData\Local\Temp\OJZVQGRB.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1156
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hXfilQolLOYnI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C4F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1460
    • C:\Users\Admin\AppData\Local\Temp\OJZVQGRB.exe
      "{path}"
      2⤵
        PID:1004
      • C:\Users\Admin\AppData\Local\Temp\OJZVQGRB.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:520
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" wlan show profile
          3⤵
            PID:1216

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Credentials in Files

      3
      T1081

      Discovery

      Query Registry

      4
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      3
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Data from Local System

      3
      T1005

      Email Collection

      1
      T1114

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp2C4F.tmp
        Filesize

        1KB

        MD5

        23ef9c3328c3783efc8dd406c9e5de8c

        SHA1

        20e32dc22280a681de1469adc5e7c6e9a4f5839e

        SHA256

        71c674c17a6b91ce2aa431c3e8847ea9f7dbcd04da8ed67a6493be99d1e9acf8

        SHA512

        7b08f556fc87c49fe96c75589dd3f840afe52cc83a4dec479384268266a49f8d05855dfa83de5c6a67c75b90034e925191164146e254ec522846c0f0981babdc

        Download Submit
      • memory/520-64-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/520-66-0x000000000044A9DE-mapping.dmp
        Download
      • memory/520-70-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/520-68-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/520-65-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/520-60-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/520-61-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/520-63-0x0000000000400000-0x0000000000450000-memory.dmp
        Filesize

        320KB

        Download
      • memory/1156-54-0x0000000000EE0000-0x0000000000F58000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1156-55-0x00000000755C1000-0x00000000755C3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1156-56-0x00000000004C0000-0x00000000004C8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1156-57-0x0000000005030000-0x0000000005086000-memory.dmp
        Filesize

        344KB

        Download
      • memory/1216-72-0x0000000000000000-mapping.dmp
        Download
      • memory/1460-58-0x0000000000000000-mapping.dmp
        Download