Overview

overview

10

Static

static

9

PO 28602.....4w.exe

windows7_x64

10

PO 28602.....4w.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    113s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 18:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO 28602....A6hBbL7xL4Jle4w.exe

  • Size

    444KB

  • MD5

    82c88bfa469dbc588304b5f8787fef8f

  • SHA1

    d1bd337791addb1151c5369b5d2922d2e30524ea

  • SHA256

    5eabdc9b1c948d59d99a9a19e6007c36b3fc7bb21dbcb654e73f64a20d6a6aec

  • SHA512

    7e415174d2ffe8f5925778ab59212cd52746a673dbba2d53b7538615bb103aa11ec17acbb8ce6a4c910d8d46e194f75a98c43f50095290995fc1c684dd97e53e

Score
10/10
agentteslacollectioncoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    logs2020@gtbenk-plc.com
  • Password:
    mkoify147@@@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • AgentTesla Payload 6 IoCs
  • CoreCCC Packer 1 IoCs

    Detects CoreCCC packer used to load .NET malware.

  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO 28602....A6hBbL7xL4Jle4w.exe
    "C:\Users\Admin\AppData\Local\Temp\PO 28602....A6hBbL7xL4Jle4w.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1532
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rluahzGlVOkvwh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7753.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:988
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:1756
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
          PID:1732
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "{path}"
          2⤵
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:1720
          • C:\Windows\SysWOW64\netsh.exe
            "netsh" wlan show profile
            3⤵
              PID:1196

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Email Collection

        1
        T1114

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp7753.tmp
          Filesize

          1KB

          MD5

          0d3b8cdce3fe1923781f6f7908fc4da1

          SHA1

          e87709405e67195dc691976251c99c23185238dc

          SHA256

          8fa2556f482cf77ee54d61e698e2b1b8bbe60875bc32e0d500c8ea78b4682a25

          SHA512

          74ecabd578c858c971a5196eba046b7436f7c6d9bba236676a5d0f4880dff3c76b5bd6f218b0b6db6f9e64597afbf5b170281aed1d9107bd152370d9317846b8

          Download Submit
        • memory/988-58-0x0000000000000000-mapping.dmp
          Download
        • memory/1196-72-0x0000000000000000-mapping.dmp
          Download
        • memory/1532-55-0x0000000076241000-0x0000000076243000-memory.dmp
          Filesize

          8KB

          Download
        • memory/1532-56-0x00000000004F0000-0x00000000004F8000-memory.dmp
          Filesize

          32KB

          Download
        • memory/1532-57-0x0000000004480000-0x00000000044D8000-memory.dmp
          Filesize

          352KB

          Download
        • memory/1532-54-0x0000000000360000-0x00000000003D6000-memory.dmp
          Filesize

          472KB

          Download
        • memory/1720-60-0x0000000000400000-0x0000000000452000-memory.dmp
          Filesize

          328KB

          Download
        • memory/1720-63-0x0000000000400000-0x0000000000452000-memory.dmp
          Filesize

          328KB

          Download
        • memory/1720-64-0x0000000000400000-0x0000000000452000-memory.dmp
          Filesize

          328KB

          Download
        • memory/1720-65-0x0000000000400000-0x0000000000452000-memory.dmp
          Filesize

          328KB

          Download
        • memory/1720-66-0x000000000044C7FE-mapping.dmp
          Download
        • memory/1720-68-0x0000000000400000-0x0000000000452000-memory.dmp
          Filesize

          328KB

          Download
        • memory/1720-70-0x0000000000400000-0x0000000000452000-memory.dmp
          Filesize

          328KB

          Download
        • memory/1720-61-0x0000000000400000-0x0000000000452000-memory.dmp
          Filesize

          328KB

          Download