Overview

overview

10

Static

static

18d5927d19...a6.exe

windows7_x64

10

18d5927d19...a6.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    106s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    30-06-2022 17:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    18d5927d197f41af4d9b16621b0515a6.exe

  • Size

    172KB

  • MD5

    18d5927d197f41af4d9b16621b0515a6

  • SHA1

    d2f4345de440d781b22f3ecf5b922783b4264bdd

  • SHA256

    613113ce85195ad4ee1d48d212424be5719d697429f2cfe422752e056d2236c0

  • SHA512

    60dde5e043e91469135829aa1590d7e505644fa22a675a205e5cc40e507b27b06e6fcfcc418b72fc8752a788ce51fd8ee3919fa4534ae94bf889db948b50e24b

Score
10/10
agentteslaasyncratdefaultcollectionkeyloggerpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

agenttesla

C2

http://136.144.41.76/bray/inc/a4a9ffb236214a.php

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

Default

C2

127.0.0.1:6606

127.0.0.1:7707

127.0.0.1:8808

127.0.0.1:1111

62.197.136.167:6606

62.197.136.167:7707

62.197.136.167:8808

62.197.136.167:1111
Mutex

AsyncMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers.

    ratasyncrat
  • suricata: ET MALWARE AgentTesla Communicating with CnC Server

    suricata: ET MALWARE AgentTesla Communicating with CnC Server

    suricata
  • suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata: ET MALWARE Generic AsyncRAT Style SSL Cert

    suricata
  • suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)

    suricata
  • Async RAT payload 1 IoCs
    rat
  • Drops file in Drivers directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\18d5927d197f41af4d9b16621b0515a6.exe
    "C:\Users\Admin\AppData\Local\Temp\18d5927d197f41af4d9b16621b0515a6.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4628
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3124
    • C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe
      "C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe"
      2⤵
      • Executes dropped EXE
      • Checks computer location settings
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4348
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1324
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQAxAA==
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2820
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:836
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Drops file in Drivers directory
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:3532

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    1KB

    MD5

    4280e36a29fa31c01e4d8b2ba726a0d8

    SHA1

    c485c2c9ce0a99747b18d899b71dfa9a64dabe32

    SHA256

    e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

    SHA512

    494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
    Filesize

    53KB

    MD5

    3337d66209faa998d52d781d0ff2d804

    SHA1

    6594b85a70f998f79f43cdf1ca56137997534156

    SHA256

    9b946b062865f68b9f0f43a011d33d7ea0926a3c8f78fb20d9cab6144314e1bd

    SHA512

    8bbd14bd73111f7b55712f5d1e1b727e41db8e6e0c1243ee6809ff32b509e52dec7af34c064151fb5beccd59dda434a3f83abe987c561a25abfbb4cbcf9c7f1f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    16KB

    MD5

    4a76ff2cb0221e6f386934409b4081f9

    SHA1

    641753885fe1f46c609a3291fce3ff3979d83469

    SHA256

    6a7b53fe72bc2081c0bf0633c241097256871865dd7ea0b0d10e842ea575fb9c

    SHA512

    6caef5a5aac18b6a7e8c020e2692c968eaf433000b0153941a26f2223b842b8305ab1d5fc233435aef47e79cdb237fd3584e3bd3bb1f5bd66c8286f91ba8e79b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe
    Filesize

    172KB

    MD5

    982f97ccf89f9d50dbc5d152c7139a50

    SHA1

    0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

    SHA256

    f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

    SHA512

    c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Crstwuze5m.exe
    Filesize

    172KB

    MD5

    982f97ccf89f9d50dbc5d152c7139a50

    SHA1

    0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

    SHA256

    f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

    SHA512

    c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Tupbtqbro\Aeigqqh.exe
    Filesize

    172KB

    MD5

    982f97ccf89f9d50dbc5d152c7139a50

    SHA1

    0ba6c448dd8566a1196e642ef1d834d55bf6e3e6

    SHA256

    f41360c7779e6656ec89fdfa40ae58b619d80dd27286802a9e902ab9dde19152

    SHA512

    c51127261b13e135e183c779c2bc10b5f43a2e27ccfd902829abc215beddd2070cf3739ac810201ae4eaf98dc9afab9b5e6923e97b1ca7bd0c7e661706c08fd1

    Download Submit
  • memory/836-161-0x0000000000400000-0x0000000000412000-memory.dmp
    Filesize

    72KB

    Download
  • memory/836-160-0x0000000000000000-mapping.dmp
    Download
  • memory/1324-150-0x0000000000000000-mapping.dmp
    Download
  • memory/2820-157-0x0000000000000000-mapping.dmp
    Download
  • memory/2924-133-0x0000000004AB0000-0x0000000004ABA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2924-130-0x00000000000F0000-0x0000000000120000-memory.dmp
    Filesize

    192KB

    Download
  • memory/2924-132-0x0000000004B10000-0x0000000004BA2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2924-131-0x00000000050C0000-0x0000000005664000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3124-145-0x0000000000000000-mapping.dmp
    Download
  • memory/3532-156-0x0000000006880000-0x00000000068D0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3532-154-0x00000000055C0000-0x000000000565C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3532-153-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/3532-152-0x0000000000000000-mapping.dmp
    Download
  • memory/4348-146-0x0000000000000000-mapping.dmp
    Download
  • memory/4348-149-0x0000000000E10000-0x0000000000E40000-memory.dmp
    Filesize

    192KB

    Download
  • memory/4628-144-0x0000000007CE0000-0x0000000007CFA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/4628-143-0x0000000008340000-0x00000000089BA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/4628-142-0x0000000007C40000-0x0000000007CB6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4628-141-0x0000000006ED0000-0x0000000006F14000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4628-140-0x00000000068C0000-0x00000000068DE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/4628-139-0x0000000006310000-0x0000000006376000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4628-138-0x0000000005A60000-0x0000000005AC6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4628-137-0x0000000005880000-0x00000000058A2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4628-136-0x0000000005CE0000-0x0000000006308000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/4628-135-0x0000000002FF0000-0x0000000003026000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4628-134-0x0000000000000000-mapping.dmp
    Download