General
Target

duk (3).exe

Filesize

511KB

Completed

21-05-2022 18:54

Task

behavioral1

Score
10/10
MD5

04b191c4242a98c5b14ed1de9c61ef8c

SHA1

4c4fafb67933eb18100acdc76128f42dc9a9525f

SHA256

bbfd3959ef22e9fa18ed11cbc9b8f31ac36e86f0d055d2c57b81ee19f9c54175

SHA256

c613ece1002132dfacf60eb41a0d1910e3e3c314db9b53f13b9e9eb34c4db9553538f3fc12f22c3ddf5ca705a53f64517783b292c240c20ec0d002a8e202144b

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp

Host: mail.hotel71.com.bd

Port: 587

Username: chat@hotel71.com.bd

Password: 9+^va&phP1v9

Signatures 17

Filter: none

Collection
Defense Evasion
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • CoreEntity .NET Packer

    Description

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1304-56-0x00000000002E0000-0x00000000002E8000-memory.dmpcoreentity
  • SnakeBOT

    Description

    SnakeBOT is a heavily obfuscated .NET downloader.

    Tags

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1008-61-0x0000000000400000-0x0000000000450000-memory.dmpfamily_agenttesla
    behavioral1/memory/1008-62-0x0000000000400000-0x0000000000450000-memory.dmpfamily_agenttesla
    behavioral1/memory/1008-63-0x0000000000400000-0x0000000000450000-memory.dmpfamily_agenttesla
    behavioral1/memory/1008-64-0x000000000044AC5E-mapping.dmpfamily_agenttesla
    behavioral1/memory/1008-66-0x0000000000400000-0x0000000000450000-memory.dmpfamily_agenttesla
    behavioral1/memory/1008-68-0x0000000000400000-0x0000000000450000-memory.dmpfamily_agenttesla
  • Contains SnakeBOT related strings

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1304-54-0x0000000000250000-0x00000000002DA000-memory.dmpsnakebot_strings
  • ReZer0 packer

    Description

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral1/memory/1304-57-0x0000000007690000-0x00000000076E8000-memory.dmprezer0
  • Disables Task Manager via registry modification

    Tags

  • Drops file in Drivers directory
    RegSvcs.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsRegSvcs.exe
  • Accesses Microsoft Outlook profiles
    RegSvcs.exe

    Tags

    TTPs

    Email Collection

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676RegSvcs.exe
    Key opened\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676RegSvcs.exe
    Key opened\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676RegSvcs.exe
  • Suspicious use of SetThreadContext
    duk (3).exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1304 set thread context of 10081304duk (3).exeRegSvcs.exe
  • Modifies registry key
    REG.exe

    TTPs

    Modify Registry

    Reported IOCs

    pidprocess
    900REG.exe
  • Suspicious behavior: EnumeratesProcesses
    RegSvcs.exe

    Reported IOCs

    pidprocess
    1008RegSvcs.exe
    1008RegSvcs.exe
  • Suspicious use of AdjustPrivilegeToken
    duk (3).exeRegSvcs.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1304duk (3).exe
    Token: SeDebugPrivilege1008RegSvcs.exe
  • Suspicious use of SetWindowsHookEx
    duk (3).exe

    Reported IOCs

    pidprocess
    1304duk (3).exe
    1304duk (3).exe
  • Suspicious use of WriteProcessMemory
    duk (3).exeRegSvcs.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1304 wrote to memory of 10081304duk (3).exeRegSvcs.exe
    PID 1008 wrote to memory of 9001008RegSvcs.exeREG.exe
    PID 1008 wrote to memory of 9001008RegSvcs.exeREG.exe
    PID 1008 wrote to memory of 9001008RegSvcs.exeREG.exe
    PID 1008 wrote to memory of 9001008RegSvcs.exeREG.exe
    PID 1008 wrote to memory of 17161008RegSvcs.exenetsh.exe
    PID 1008 wrote to memory of 17161008RegSvcs.exenetsh.exe
    PID 1008 wrote to memory of 17161008RegSvcs.exenetsh.exe
    PID 1008 wrote to memory of 17161008RegSvcs.exenetsh.exe
  • outlook_office_path
    RegSvcs.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676RegSvcs.exe
  • outlook_win_path
    RegSvcs.exe

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676RegSvcs.exe
Processes 4
  • C:\Users\Admin\AppData\Local\Temp\duk (3).exe
    "C:\Users\Admin\AppData\Local\Temp\duk (3).exe"
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1304
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      Drops file in Drivers directory
      Accesses Microsoft Outlook profiles
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      outlook_office_path
      outlook_win_path
      PID:1008
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        Modifies registry key
        PID:900
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        PID:1716
Network
MITRE ATT&CK Matrix
Collection
Command and Control
    Credential Access
      Defense Evasion
      Discovery
        Execution
          Exfiltration
            Impact
              Initial Access
                Lateral Movement
                  Persistence
                    Privilege Escalation
                      Replay Monitor
                      00:00 00:00
                      Downloads
                      • memory/900-70-0x0000000000000000-mapping.dmp

                      • memory/1008-64-0x000000000044AC5E-mapping.dmp

                      • memory/1008-68-0x0000000000400000-0x0000000000450000-memory.dmp

                      • memory/1008-66-0x0000000000400000-0x0000000000450000-memory.dmp

                      • memory/1008-58-0x0000000000400000-0x0000000000450000-memory.dmp

                      • memory/1008-59-0x0000000000400000-0x0000000000450000-memory.dmp

                      • memory/1008-61-0x0000000000400000-0x0000000000450000-memory.dmp

                      • memory/1008-62-0x0000000000400000-0x0000000000450000-memory.dmp

                      • memory/1008-63-0x0000000000400000-0x0000000000450000-memory.dmp

                      • memory/1304-54-0x0000000000250000-0x00000000002DA000-memory.dmp

                      • memory/1304-57-0x0000000007690000-0x00000000076E8000-memory.dmp

                      • memory/1304-56-0x00000000002E0000-0x00000000002E8000-memory.dmp

                      • memory/1304-55-0x0000000076531000-0x0000000076533000-memory.dmp

                      • memory/1716-71-0x0000000000000000-mapping.dmp