Overview

overview

10

Static

static

SOA.rar.exe

windows7_x64

10

SOA.rar.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 18:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA.rar.exe

  • Size

    2.0MB

  • MD5

    6e87a2e7ef62721a2aef357431076a7a

  • SHA1

    1cdf35c6ea661a2ef0461d7b8de441eb8dd802b1

  • SHA256

    5f409bddf5b4efe31ec833332774381385c1a31e3e2d8e5e3b2d2f934be0a5a7

  • SHA512

    a752bb0fb663a27d4034478f3b4b63e005ce5b95a3db699b7918a59583e25182b50eca769994008bf6fc00ad9819daa91f476384c12e5511f8716da668f221dc

Score
10/10
agentteslaevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.parshavayealborz.com
  • Port:
    587
  • Username:
    info@parshavayealborz.com
  • Password:
    P@rshava123456

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 4 IoCs
  • Program crash 1 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 43 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SOA.rar.exe
    "C:\Users\Admin\AppData\Local\Temp\SOA.rar.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2852
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4328
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
          PID:3844
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          3⤵
            PID:4368
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
            "{path}"
            3⤵
              PID:1820
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "{path}"
              3⤵
              • Drops startup file
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:224
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                4⤵
                • Drops file in Drivers directory
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4704
                • C:\Windows\SysWOW64\REG.exe
                  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                  5⤵
                  • Modifies registry key
                  PID:3760
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 1620
                  5⤵
                  • Program crash
                  PID:3464
              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
                "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
                4⤵
                • Drops file in Drivers directory
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:4852
                • C:\Windows\SysWOW64\REG.exe
                  REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                  5⤵
                  • Modifies registry key
                  PID:4844
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 4704 -ip 4704
          1⤵
            PID:1008

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Registry Run Keys / Startup Folder

          1
          T1060

          Privilege Escalation

          Defense Evasion

          Modify Registry

          2
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            846B

            MD5

            5b2d17233558878a82ee464d04f58b59

            SHA1

            47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

            SHA256

            5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

            SHA512

            d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

            Download Submit
          • memory/224-139-0x0000000000000000-mapping.dmp
            Download
          • memory/224-143-0x0000000000400000-0x0000000000579000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/224-142-0x0000000000400000-0x0000000000579000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/224-150-0x0000000004740000-0x00000000047D7000-memory.dmp
            Filesize

            604KB

            Download
          • memory/224-141-0x0000000000400000-0x0000000000579000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/224-140-0x0000000000400000-0x0000000000579000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/224-151-0x0000000004880000-0x0000000004917000-memory.dmp
            Filesize

            604KB

            Download
          • memory/1820-138-0x0000000000000000-mapping.dmp
            Download
          • memory/2852-133-0x00000000089A0000-0x0000000008F44000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/2852-130-0x00000000004E0000-0x00000000006F2000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/2852-132-0x0000000005150000-0x00000000051EC000-memory.dmp
            Filesize

            624KB

            Download
          • memory/2852-131-0x00000000050B0000-0x0000000005142000-memory.dmp
            Filesize

            584KB

            Download
          • memory/3760-153-0x0000000000000000-mapping.dmp
            Download
          • memory/3844-136-0x0000000000000000-mapping.dmp
            Download
          • memory/4328-135-0x0000000000400000-0x00000000005B2000-memory.dmp
            Filesize

            1.7MB

            Download
          • memory/4328-134-0x0000000000000000-mapping.dmp
            Download
          • memory/4368-137-0x0000000000000000-mapping.dmp
            Download
          • memory/4704-145-0x0000000000400000-0x0000000000452000-memory.dmp
            Filesize

            328KB

            Download
          • memory/4704-144-0x0000000000000000-mapping.dmp
            Download
          • memory/4704-152-0x0000000005F80000-0x0000000005FE6000-memory.dmp
            Filesize

            408KB

            Download
          • memory/4704-154-0x0000000006B30000-0x0000000006B80000-memory.dmp
            Filesize

            320KB

            Download
          • memory/4844-162-0x0000000000000000-mapping.dmp
            Download
          • memory/4852-155-0x0000000000000000-mapping.dmp
            Download