Overview

overview

10

Static

static

QUOTE 002242020.exe

windows7_x64

10

QUOTE 002242020.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTE 002242020.exe

  • Size

    2.1MB

  • MD5

    bdbfa33c09b950889d9fc19954f20935

  • SHA1

    d9c6cf2322734d49a1c479ff31d044ccef2f739e

  • SHA256

    51558f41331f2345cd146dc9705f48e8a6fdc425e6744658ff2ea53d42d34ae6

  • SHA512

    5ab3679f6c523a4a5d73678461f5089713b06fde01d59d42e2ca728d7723af01d135eba0737bf1606f105bb0a64573807cc687b8f4ba0666f4678948f1ae6fa7

Score
10/10
agentteslaevasionkeyloggerpersistencerezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.parshavayealborz.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    P@rshava123456

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • ReZer0 packer 2 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 7 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QUOTE 002242020.exe
    "C:\Users\Admin\AppData\Local\Temp\QUOTE 002242020.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1832
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:1992
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
          4⤵
          • Drops file in Drivers directory
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:516
          • C:\Windows\SysWOW64\REG.exe
            REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • Modifies registry key
            PID:1300

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/516-87-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/516-96-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/516-95-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/516-94-0x000000000044C43E-mapping.dmp
    Download
  • memory/516-89-0x0000000000400000-0x0000000000452000-memory.dmp
    Filesize

    328KB

    Download
  • memory/1260-55-0x0000000000490000-0x00000000004A6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1260-56-0x0000000007FB0000-0x000000000816A000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1260-54-0x0000000001230000-0x0000000001444000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1300-100-0x0000000000000000-mapping.dmp
    Download
  • memory/1832-63-0x00000000005AD5E6-mapping.dmp
    Download
  • memory/1832-65-0x0000000000400000-0x00000000005B2000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1832-68-0x00000000003F0000-0x0000000000400000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1832-69-0x0000000007CA0000-0x0000000007E20000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1832-57-0x0000000000400000-0x00000000005B2000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1832-58-0x0000000000400000-0x00000000005B2000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1832-67-0x0000000000400000-0x00000000005B2000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1832-60-0x0000000000400000-0x00000000005B2000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1832-61-0x0000000000400000-0x00000000005B2000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1832-62-0x0000000000400000-0x00000000005B2000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1992-73-0x0000000000400000-0x0000000000579000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1992-82-0x000000000042800A-mapping.dmp
    Download
  • memory/1992-84-0x0000000075CE1000-0x0000000075CE3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1992-85-0x0000000000400000-0x0000000000579000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1992-86-0x0000000000400000-0x0000000000579000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1992-81-0x0000000000400000-0x0000000000579000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1992-79-0x0000000000400000-0x0000000000579000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1992-77-0x0000000000400000-0x0000000000579000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1992-75-0x0000000000400000-0x0000000000579000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1992-71-0x0000000000400000-0x0000000000579000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1992-97-0x0000000002560000-0x00000000025F7000-memory.dmp
    Filesize

    604KB

    Download
  • memory/1992-98-0x0000000002CF0000-0x0000000002D87000-memory.dmp
    Filesize

    604KB

    Download
  • memory/1992-70-0x0000000000400000-0x0000000000579000-memory.dmp
    Filesize

    1.5MB

    Download