Behavioral Report

max time kernel150s
max time network154s
platformwindows10-2004_x64
resourcewin10v2004-20220414-en
submitted21-05-2022 18:51

Report
Files
Registry
Network
Processes
Mutex
Misc

Target

duk (3).exe

Filesize

511KB

Completed

21-05-2022 18:54

Task

behavioral2

Score

10^/10

MD5

04b191c4242a98c5b14ed1de9c61ef8c

SHA1

4c4fafb67933eb18100acdc76128f42dc9a9525f

SHA256

bbfd3959ef22e9fa18ed11cbc9b8f31ac36e86f0d055d2c57b81ee19f9c54175

SHA256

c613ece1002132dfacf60eb41a0d1910e3e3c314db9b53f13b9e9eb34c4db9553538f3fc12f22c3ddf5ca705a53f64517783b292c240c20ec0d002a8e202144b

agenttesla snakebot evasion keylogger snakebot spyware stealer trojan

Extracted

Family	agenttesla
Credentials	Protocol: smtp Host: mail.hotel71.com.bd Port: 587 Username: chat@hotel71.com.bd Password: 9+^va&phP1v9

Defense Evasion

AgentTesla

Description

Agent Tesla is a remote access tool (RAT) written in visual basic.

Tags

keylogger trojan stealer spyware agenttesla
SnakeBOT

Description

SnakeBOT is a heavily obfuscated .NET downloader.

Tags

snakebot
AgentTesla Payload

Reported IOCs

resource yara_rule

behavioral2/memory/4476-136-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla
Contains SnakeBOT related strings

Tags

snakebot

Reported IOCs

resource yara_rule

behavioral2/memory/1160-130-0x0000000000D90000-0x0000000000E1A000-memory.dmp snakebot_strings
Disables Task Manager via registry modification

Tags

evasion
Drops file in Drivers directory
RegSvcs.exe

Reported IOCs

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe
Suspicious use of SetThreadContext
duk (3).exe

Reported IOCs

description pid process target process

PID 1160 set thread context of 4476 1160 duk (3).exe RegSvcs.exe
Program crash
WerFault.exe

Reported IOCs

pid pid_target process target process

2896 4476 WerFault.exe RegSvcs.exe
Modifies registry key
REG.exe

TTPs

Modify Registry

Reported IOCs

pid process

2484 REG.exe
Suspicious behavior: EnumeratesProcesses
RegSvcs.exe

Reported IOCs

pid process

4476 RegSvcs.exe
4476 RegSvcs.exe
Suspicious use of AdjustPrivilegeToken
duk (3).exeRegSvcs.exe

Reported IOCs

description pid process

Token: SeDebugPrivilege 1160 duk (3).exe
Token: SeDebugPrivilege 4476 RegSvcs.exe
Suspicious use of SetWindowsHookEx
duk (3).exe

Reported IOCs

pid process

1160 duk (3).exe
1160 duk (3).exe

resource	yara_rule
behavioral2/memory/4476-136-0x0000000000400000-0x0000000000450000-memory.dmp	family_agenttesla

resource	yara_rule
behavioral2/memory/1160-130-0x0000000000D90000-0x0000000000E1A000-memory.dmp	snakebot_strings

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	RegSvcs.exe

description	pid	process	target process
PID 1160 set thread context of 4476	1160	duk (3).exe	RegSvcs.exe

pid	pid_target	process	target process
2896	4476	WerFault.exe	RegSvcs.exe

pid	process
2484	REG.exe

pid	process
4476	RegSvcs.exe
4476	RegSvcs.exe

description	pid	process
Token: SeDebugPrivilege	1160	duk (3).exe
Token: SeDebugPrivilege	4476	RegSvcs.exe

pid	process
1160	duk (3).exe
1160	duk (3).exe

Suspicious use of WriteProcessMemory

duk (3).exeRegSvcs.exe

Reported IOCs

description	pid	process	target process
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 1160 wrote to memory of 4476	1160	duk (3).exe	RegSvcs.exe
PID 4476 wrote to memory of 2484	4476	RegSvcs.exe	REG.exe
PID 4476 wrote to memory of 2484	4476	RegSvcs.exe	REG.exe
PID 4476 wrote to memory of 2484	4476	RegSvcs.exe	REG.exe
PID 4476 wrote to memory of 5068	4476	RegSvcs.exe	netsh.exe
PID 4476 wrote to memory of 5068	4476	RegSvcs.exe	netsh.exe
PID 4476 wrote to memory of 5068	4476	RegSvcs.exe	netsh.exe

C:\Users\Admin\AppData\Local\Temp\duk (3).exe

"C:\Users\Admin\AppData\Local\Temp\duk (3).exe"

Suspicious use of SetThreadContext
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory

PID:1160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Drops file in Drivers directory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory

PID:4476

C:\Windows\SysWOW64\REG.exe

REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

Modifies registry key

PID:2484

C:\Windows\SysWOW64\netsh.exe

"netsh" wlan show profile

PID:5068

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4476 -s 1576

Program crash

PID:2896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4476 -ip 4476

PID:4812

Collection

Command and Control

Credential Access

Defense Evasion

Modify Registry

Discovery

Execution

Exfiltration

Impact

Initial Access

Lateral Movement

Persistence

Privilege Escalation

00:00 00:00

memory/1160-130-0x0000000000D90000-0x0000000000E1A000-memory.dmp

Download
memory/1160-131-0x0000000008220000-0x00000000087C4000-memory.dmp

Download
memory/1160-132-0x0000000007D10000-0x0000000007DA2000-memory.dmp

Download
memory/1160-133-0x0000000007CA0000-0x0000000007CAA000-memory.dmp

Download
memory/1160-134-0x000000000B2C0000-0x000000000B35C000-memory.dmp

Download
memory/2484-138-0x0000000000000000-mapping.dmp

Download
memory/4476-135-0x0000000000000000-mapping.dmp

Download
memory/4476-136-0x0000000000400000-0x0000000000450000-memory.dmp

Download
memory/4476-137-0x00000000050F0000-0x0000000005156000-memory.dmp

Download
memory/4476-139-0x0000000006060000-0x00000000060B0000-memory.dmp

Download
memory/5068-140-0x0000000000000000-mapping.dmp

Download

Extracted

Filter: none

Description

Tags

Description

Tags

Reported IOCs

Tags

Reported IOCs

Tags

Reported IOCs

Reported IOCs

Reported IOCs

TTPs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Reported IOCs

Title