General
Target

duk (3).exe

Filesize

511KB

Completed

21-05-2022 18:54

Task

behavioral2

Score
10/10
MD5

04b191c4242a98c5b14ed1de9c61ef8c

SHA1

4c4fafb67933eb18100acdc76128f42dc9a9525f

SHA256

bbfd3959ef22e9fa18ed11cbc9b8f31ac36e86f0d055d2c57b81ee19f9c54175

SHA256

c613ece1002132dfacf60eb41a0d1910e3e3c314db9b53f13b9e9eb34c4db9553538f3fc12f22c3ddf5ca705a53f64517783b292c240c20ec0d002a8e202144b

Malware Config

Extracted

Family

agenttesla

Credentials

Protocol: smtp

Host: mail.hotel71.com.bd

Port: 587

Username: chat@hotel71.com.bd

Password: 9+^va&phP1v9

Signatures 13

Filter: none

Defense Evasion
  • AgentTesla

    Description

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • SnakeBOT

    Description

    SnakeBOT is a heavily obfuscated .NET downloader.

    Tags

  • AgentTesla Payload

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/4476-136-0x0000000000400000-0x0000000000450000-memory.dmpfamily_agenttesla
  • Contains SnakeBOT related strings

    Tags

    Reported IOCs

    resourceyara_rule
    behavioral2/memory/1160-130-0x0000000000D90000-0x0000000000E1A000-memory.dmpsnakebot_strings
  • Disables Task Manager via registry modification

    Tags

  • Drops file in Drivers directory
    RegSvcs.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Windows\system32\drivers\etc\hostsRegSvcs.exe
  • Suspicious use of SetThreadContext
    duk (3).exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1160 set thread context of 44761160duk (3).exeRegSvcs.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    28964476WerFault.exeRegSvcs.exe
  • Modifies registry key
    REG.exe

    TTPs

    Modify Registry

    Reported IOCs

    pidprocess
    2484REG.exe
  • Suspicious behavior: EnumeratesProcesses
    RegSvcs.exe

    Reported IOCs

    pidprocess
    4476RegSvcs.exe
    4476RegSvcs.exe
  • Suspicious use of AdjustPrivilegeToken
    duk (3).exeRegSvcs.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeDebugPrivilege1160duk (3).exe
    Token: SeDebugPrivilege4476RegSvcs.exe
  • Suspicious use of SetWindowsHookEx
    duk (3).exe

    Reported IOCs

    pidprocess
    1160duk (3).exe
    1160duk (3).exe
  • Suspicious use of WriteProcessMemory
    duk (3).exeRegSvcs.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 1160 wrote to memory of 44761160duk (3).exeRegSvcs.exe
    PID 1160 wrote to memory of 44761160duk (3).exeRegSvcs.exe
    PID 1160 wrote to memory of 44761160duk (3).exeRegSvcs.exe
    PID 1160 wrote to memory of 44761160duk (3).exeRegSvcs.exe
    PID 1160 wrote to memory of 44761160duk (3).exeRegSvcs.exe
    PID 1160 wrote to memory of 44761160duk (3).exeRegSvcs.exe
    PID 1160 wrote to memory of 44761160duk (3).exeRegSvcs.exe
    PID 1160 wrote to memory of 44761160duk (3).exeRegSvcs.exe
    PID 4476 wrote to memory of 24844476RegSvcs.exeREG.exe
    PID 4476 wrote to memory of 24844476RegSvcs.exeREG.exe
    PID 4476 wrote to memory of 24844476RegSvcs.exeREG.exe
    PID 4476 wrote to memory of 50684476RegSvcs.exenetsh.exe
    PID 4476 wrote to memory of 50684476RegSvcs.exenetsh.exe
    PID 4476 wrote to memory of 50684476RegSvcs.exenetsh.exe
Processes 6
  • C:\Users\Admin\AppData\Local\Temp\duk (3).exe
    "C:\Users\Admin\AppData\Local\Temp\duk (3).exe"
    Suspicious use of SetThreadContext
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of SetWindowsHookEx
    Suspicious use of WriteProcessMemory
    PID:1160
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      Drops file in Drivers directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4476
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        Modifies registry key
        PID:2484
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        PID:5068
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1576
        Program crash
        PID:2896
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4476 -ip 4476
    PID:4812
Network
MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Defense Evasion
        Discovery
          Execution
            Exfiltration
              Impact
                Initial Access
                  Lateral Movement
                    Persistence
                      Privilege Escalation
                        Replay Monitor
                        00:00 00:00
                        Downloads
                        • memory/1160-130-0x0000000000D90000-0x0000000000E1A000-memory.dmp

                        • memory/1160-131-0x0000000008220000-0x00000000087C4000-memory.dmp

                        • memory/1160-132-0x0000000007D10000-0x0000000007DA2000-memory.dmp

                        • memory/1160-133-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

                        • memory/1160-134-0x000000000B2C0000-0x000000000B35C000-memory.dmp

                        • memory/2484-138-0x0000000000000000-mapping.dmp

                        • memory/4476-135-0x0000000000000000-mapping.dmp

                        • memory/4476-136-0x0000000000400000-0x0000000000450000-memory.dmp

                        • memory/4476-137-0x00000000050F0000-0x0000000005156000-memory.dmp

                        • memory/4476-139-0x0000000006060000-0x00000000060B0000-memory.dmp

                        • memory/5068-140-0x0000000000000000-mapping.dmp