Overview

overview

10

Static

static

10

new purcha...ar.exe

windows7_x64

10

new purcha...ar.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    179s
  • max time network
    183s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    new purchase order.rar.exe

  • Size

    523KB

  • MD5

    e50b58922768f36a719aa5e91c086c06

  • SHA1

    f2216e02ce43d07bc6bc8b7fb01461f1d9d1aa91

  • SHA256

    a4d3085a47bf0da4fa557e18de19bada74667d0eaa3dca959990b96215bb25cc

  • SHA512

    ba6be2906587a73203196853952878e017e99ad94edec3195a368edd99f9fb0c2ae3218b84bd943a57f0cdbbd340043c0858b9e050f330dbacdf26b45f32d078

Score
10/10
agentteslasnakebotevasionkeyloggersnakebotspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.villanika.gr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    n2^-9wE@Wl}t

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • SnakeBOT

    SnakeBOT is a heavily obfuscated .NET downloader.

    snakebot
  • AgentTesla Payload 1 IoCs
  • Contains SnakeBOT related strings 1 IoCs
    snakebot
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\new purchase order.rar.exe
    "C:\Users\Admin\AppData\Local\Temp\new purchase order.rar.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:2176
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
          PID:4720
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          2⤵
            PID:4760
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "{path}"
            2⤵
              PID:2680
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "{path}"
              2⤵
              • Drops file in Drivers directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:4736
              • C:\Windows\SysWOW64\REG.exe
                REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                3⤵
                • Modifies registry key
                PID:2936
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 1480
                3⤵
                • Program crash
                PID:3324
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 4736 -ip 4736
            1⤵
              PID:4376

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2176-135-0x0000000000000000-mapping.dmp

              Download

            • memory/2584-131-0x00000000083C0000-0x0000000008964000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/2584-132-0x0000000007E10000-0x0000000007EA2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/2584-133-0x0000000007EB0000-0x0000000007EBA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2584-134-0x000000000B3D0000-0x000000000B46C000-memory.dmp

              Filesize

              624KB

              Download

            • memory/2584-130-0x0000000000F10000-0x0000000000F9C000-memory.dmp

              Filesize

              560KB

              Download

            • memory/2680-138-0x0000000000000000-mapping.dmp

              Download

            • memory/2936-142-0x0000000000000000-mapping.dmp

              Download

            • memory/4720-136-0x0000000000000000-mapping.dmp

              Download

            • memory/4736-139-0x0000000000000000-mapping.dmp

              Download

            • memory/4736-140-0x0000000000400000-0x0000000000452000-memory.dmp

              Filesize

              328KB

              Download

            • memory/4736-141-0x00000000061D0000-0x0000000006236000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4736-143-0x00000000066D0000-0x0000000006720000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4760-137-0x0000000000000000-mapping.dmp

              Download