Overview

overview

10

Static

static

10

hesapharek...df.exe

windows7_x64

10

hesapharek...df.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    154s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    hesaphareketi000001,pdf.exe

  • Size

    2.9MB

  • MD5

    62365690663bb84166207a981d124d64

  • SHA1

    35a0d45093ab7d5e6acc22b0f1b1ee0eaf38da26

  • SHA256

    d90041e6b2a7deca5936829d8a2f6b9c190abcab6c81c3a99b22d41ed6fffbb0

  • SHA512

    2b35cbbe45a125f373d4f57b1184e12ab88c4cd6c76d51bdc4f928a89bdf324eb4cd036fe9df22c69858bd83d9bfd07b012630ea7ebccbb877373f3c235b1135

Score
10/10
agentteslamassloggercollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.cappac.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    aTlcLVD6nhEE

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • MassLogger

    Masslogger is a .NET stealer targeting passwords from browsers, email and cryptocurrency clients.

    stealerspywaremasslogger
  • MassLogger Main Payload 5 IoCs
  • AgentTesla Payload 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\hesaphareketi000001,pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\hesaphareketi000001,pdf.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
        "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1096
        • C:\Windows\SysWOW64\cmd.exe
          "cmd" /c start /b powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe' & exit
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1200
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Start-Sleep -Seconds 2; Remove-Item -path 'C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe'
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4896
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v chromee /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Windows\SysWOW64\reg.exe
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v chromee /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee.exe"
        3⤵
        • Adds Run key to start application
        PID:5036
    • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
      "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
      2⤵
      • Executes dropped EXE
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:5008

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    Filesize

    41KB

    MD5

    5d4073b2eb6d217c19f2b22f21bf8d57

    SHA1

    f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

    SHA256

    ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

    SHA512

    9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee.exe
    Filesize

    1.2MB

    MD5

    9a4460e1522d6e13d6f326674524c405

    SHA1

    d8484d2d265f4f5d83917532465210ddf658aa08

    SHA256

    0122fb26a12f86f9e8eef0498a4d7f350846885bdb8b6ced21a68baa0e73be6b

    SHA512

    0bd99764516d33191d5bf7b2c3b1f247aad039136892f39c4941c8aa07f4c1cc3935949c1d8c91ec4a28ec3125302357390df9be6187720ccdb0a97221bfa1a2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\chromee.exe
    Filesize

    1.2MB

    MD5

    9a4460e1522d6e13d6f326674524c405

    SHA1

    d8484d2d265f4f5d83917532465210ddf658aa08

    SHA256

    0122fb26a12f86f9e8eef0498a4d7f350846885bdb8b6ced21a68baa0e73be6b

    SHA512

    0bd99764516d33191d5bf7b2c3b1f247aad039136892f39c4941c8aa07f4c1cc3935949c1d8c91ec4a28ec3125302357390df9be6187720ccdb0a97221bfa1a2

    Download Submit

  • memory/1096-146-0x0000000000000000-mapping.dmp

    Download

  • memory/1096-149-0x0000000000590000-0x000000000062A000-memory.dmp

    Filesize

    616KB

    Download

  • memory/1200-150-0x0000000000000000-mapping.dmp

    Download

  • memory/1752-133-0x0000000005E50000-0x0000000005E94000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1752-130-0x00000000005F0000-0x00000000008D2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/1752-132-0x0000000005A20000-0x0000000005AB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1752-131-0x0000000005ED0000-0x0000000006474000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4200-137-0x0000000000020000-0x0000000000156000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4200-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4596-138-0x0000000000000000-mapping.dmp

    Download

  • memory/4896-152-0x0000000003030000-0x0000000003066000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4896-156-0x00000000062D0000-0x0000000006336000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4896-160-0x0000000006E80000-0x0000000006E9A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4896-159-0x00000000081E0000-0x000000000885A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4896-158-0x0000000006990000-0x00000000069AE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4896-151-0x0000000000000000-mapping.dmp

    Download

  • memory/4896-155-0x0000000005A20000-0x0000000005A42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4896-153-0x0000000005C30000-0x0000000006258000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/5008-154-0x0000000006850000-0x00000000068A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/5008-145-0x0000000005FE0000-0x0000000006046000-memory.dmp

    Filesize

    408KB

    Download

  • memory/5008-157-0x0000000006490000-0x000000000649A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5008-140-0x0000000000000000-mapping.dmp

    Download

  • memory/5008-141-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/5008-144-0x0000000005270000-0x000000000530C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5036-139-0x0000000000000000-mapping.dmp

    Download