Overview

overview

10

Static

static

9b39828b28...1c.exe

windows7_x64

3

9b39828b28...1c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    156s
  • max time network
    220s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    25-06-2022 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe

  • Size

    397KB

  • MD5

    7fc4300a6f6dea00b341018b3366e8be

  • SHA1

    05b8a1966cb6b423f9e0da49add7d7cd913a9c73

  • SHA256

    9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c

  • SHA512

    dcc16e705fd42d295e64580585068aed496611506ae26783321e00f63d50bbd8efadff7573f0c6c8bcc59eb9009b1b0d88fa3d5cd778135e1c049bcc203bd26c

Score
10/10
agentteslacollectionkeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.jlumberg-ss.com
  • Port:
    587
  • Username:
    admin@jlumberg-ss.com
  • Password:
    Xj)b!tl4

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • ReZer0 packer 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe
    "C:\Users\Admin\AppData\Local\Temp\9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3400
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windo 1 -noexit -exec bypass -file "C:\Users\Public\LUoUY.ps1"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1720
      • C:\Users\Admin\AppData\Local\Temp\9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe
        "{path}"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TtupyRIxEsku" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1A2A.tmp"
          4⤵
          • Creates scheduled task(s)
          PID:3352
        • C:\Users\Admin\AppData\Local\Temp\9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe
          "{path}"
          4⤵
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:220

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\9b39828b28c9d575bb1d844c5fd6e1bb2a49ddfa02302e84caedd075b6625d1c.exe.log
    Filesize

    139B

    MD5

    b226ddb0f6213e848e868253270d2ee4

    SHA1

    9d9b43c46b5a5573cd4e521293413ad9c55ef5b9

    SHA256

    9fcd51e732baf44df777525aca99cd16a693190659f9cab66263fd2393fb87f1

    SHA512

    b4f46b90bb116fffd16924b1911ab9b280c74977344788bad0db8b60818f8126efa830d282df4a97aa542d1c9ea48e445d7dd77ac33c3fda5e745787fcd74e8c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp1A2A.tmp
    Filesize

    1KB

    MD5

    7380440f1a0cd99d9e7ec7bb4083ce48

    SHA1

    634747cb2d281948a425155a1a0186f10ba46057

    SHA256

    661d002203173504b137772d41e9895fe216502111c2bd7457d2c8c447432486

    SHA512

    ac07cb443ce3b2049a7e5526773e302dde71a043fe15c6e3c7bf7155517a60b6cfe7ef99b0ec668fa2619396fe70032ae89ae8850a9016f970ea0b4dbc98d8b7

    Download Submit
  • C:\Users\Public\LUoUY.ps1
    Filesize

    24KB

    MD5

    da9dc2ad19105e8daebc4b438c74aa12

    SHA1

    81c1f48dda44ad25de5693734613ae2c92282ade

    SHA256

    9d6c7d381757d0571869bcbca844d7a8742f5276269d7fb086e04ab11d9ba540

    SHA512

    aa19b27f6ddbfd07cea33fdb248564224cfc585d80d41196ff0f2eb66a69644adac472a2a3526eba093d4439ba11c92b08a7e41bdf392d650a7f43e26973a1f7

    Download Submit
  • memory/220-153-0x00000000056B0000-0x00000000056BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/220-151-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/220-149-0x0000000000000000-mapping.dmp
    Download
  • memory/1364-142-0x0000000000000000-mapping.dmp
    Download
  • memory/1364-143-0x0000000000400000-0x0000000000456000-memory.dmp
    Filesize

    344KB

    Download
  • memory/1364-145-0x0000000005B50000-0x00000000060F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1720-141-0x00000000073F0000-0x0000000007482000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1720-146-0x0000000007810000-0x0000000007886000-memory.dmp
    Filesize

    472KB

    Download
  • memory/1720-137-0x0000000005490000-0x00000000054F6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1720-132-0x0000000000000000-mapping.dmp
    Download
  • memory/1720-139-0x0000000007200000-0x0000000007244000-memory.dmp
    Filesize

    272KB

    Download
  • memory/1720-135-0x0000000005210000-0x0000000005232000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1720-138-0x0000000006070000-0x000000000608E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1720-136-0x00000000053B0000-0x0000000005416000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1720-152-0x00000000076B0000-0x00000000076CA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1720-134-0x0000000005560000-0x0000000005B88000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1720-150-0x0000000008F10000-0x000000000958A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1720-133-0x0000000002CF0000-0x0000000002D26000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3352-147-0x0000000000000000-mapping.dmp
    Download
  • memory/3400-130-0x00000000006D0000-0x000000000073A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/3400-131-0x0000000005120000-0x00000000051BC000-memory.dmp
    Filesize

    624KB

    Download