Overview

overview

10

Static

static

18d5927d19...a6.exe

windows7_x64

10

18d5927d19...a6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    92s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    30-06-2022 17:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18d5927d197f41af4d9b16621b0515a6.exe

  • Size

    172KB

  • MD5

    18d5927d197f41af4d9b16621b0515a6

  • SHA1

    d2f4345de440d781b22f3ecf5b922783b4264bdd

  • SHA256

    613113ce85195ad4ee1d48d212424be5719d697429f2cfe422752e056d2236c0

  • SHA512

    60dde5e043e91469135829aa1590d7e505644fa22a675a205e5cc40e507b27b06e6fcfcc418b72fc8752a788ce51fd8ee3919fa4534ae94bf889db948b50e24b

Score
10/10
agentteslaasyncratdefaultcollectionkeyloggerpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

C2

http://136.144.41.76/bray/inc/a4a9ffb236214a.php

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1111

62.197.136.167:6606

62.197.136.167:7707

62.197.136.167:8808

62.197.136.167:1111
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE AgentTesla Communicating with CnC Server

    suricata: ET MALWARE AgentTesla Communicating with CnC Server

    suricata
  • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 1 IoCs
    rat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18d5927d197f41af4d9b16621b0515a6.exe
    "C:\Users\Admin\AppData\Local\Temp\18d5927d197f41af4d9b16621b0515a6.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4116
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4288
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1924
    • C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe
      "C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1312
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2216
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Drops file in Drivers directory
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4764

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    4280e36a29fa31c01e4d8b2ba726a0d8

    SHA1

    c485c2c9ce0a99747b18d899b71dfa9a64dabe32

    SHA256

    e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

    SHA512

    494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    3337d66209faa998d52d781d0ff2d804

    SHA1

    6594b85a70f998f79f43cdf1ca56137997534156

    SHA256

    9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

    SHA512

    8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    15KB

    MD5

    9e2a9ecaec0b5e4f529aaaa9be9245ae

    SHA1

    c5f0ba7809bfede3f4dc40408e2686e103bd87d1

    SHA256

    a73e02d4a2f3814ed90cdd808c3c1d891ed6eebfa2041a9f7d25ad41c08dbda0

    SHA512

    11948c56c9fc5917292bd271fd19090f2c78be8431558009b0d8045cf695fa28c93f40418f65a51ba80608983fdb47063e89fbcf14fcd784a2ae282d088af686

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe
    Filesize

    172KB

    MD5

    982f97ccf89f9d50dbc5d152c7139a50

    SHA1

    0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

    SHA256

    f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

    SHA512

    c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe
    Filesize

    172KB

    MD5

    982f97ccf89f9d50dbc5d152c7139a50

    SHA1

    0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

    SHA256

    f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

    SHA512

    c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tupbtqbro\Aeigqqh.exe
    Filesize

    172KB

    MD5

    982f97ccf89f9d50dbc5d152c7139a50

    SHA1

    0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

    SHA256

    f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

    SHA512

    c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

    Download Submit
  • memory/1312-151-0x0000000000000000-mapping.dmp
    Download
  • memory/1924-145-0x0000000000000000-mapping.dmp
    Download
  • memory/2216-160-0x0000000000000000-mapping.dmp
    Download
  • memory/2216-161-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2768-157-0x0000000000000000-mapping.dmp
    Download
  • memory/3652-150-0x0000000000D80000-0x0000000000DB0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/3652-147-0x0000000000000000-mapping.dmp
    Download
  • memory/4116-131-0x0000000005150000-0x00000000056F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4116-132-0x0000000004BA0000-0x0000000004C32000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4116-130-0x00000000001D0000-0x0000000000200000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4116-133-0x0000000004C40000-0x0000000004C4A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4288-139-0x0000000006100000-0x0000000006166000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4288-140-0x0000000006740000-0x000000000675E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4288-143-0x0000000008130000-0x00000000087AA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4288-142-0x0000000007A30000-0x0000000007AA6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4288-141-0x0000000006C90000-0x0000000006CD4000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4288-134-0x0000000000000000-mapping.dmp
    Download
  • memory/4288-135-0x0000000005150000-0x0000000005186000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4288-144-0x0000000007AD0000-0x0000000007AEA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4288-136-0x0000000005860000-0x0000000005E88000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4288-137-0x0000000005EC0000-0x0000000005EE2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4288-138-0x0000000005F60000-0x0000000005FC6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4764-156-0x0000000006B20000-0x0000000006B70000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4764-155-0x0000000005790000-0x000000000582C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4764-154-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/4764-152-0x0000000000000000-mapping.dmp
    Download