Analysis
-
max time kernel
168s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 03:22
Static task
static1
Behavioral task
behavioral1
Sample
608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe
Resource
win10v2004-20220414-en
General
-
Target
608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe
-
Size
775KB
-
MD5
7f4df8a2ce1ae2c87509a7554a8a2312
-
SHA1
144f7be59e7d0ab494fe7b034cd263f32c332db4
-
SHA256
608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f
-
SHA512
42bdd96d520ce3647481cce844240d26e8d07d504946540ffda93dbfe95e22bcf65601e45b424cb0eaa2197d1bc8ad29c91bc97fb5884f0651df528c53878c17
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vitiren.website - Port:
587 - Username:
[email protected] - Password:
R_(^!h,UT{s5
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4684-151-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
PugRIiJsVbzDZNOwma5.exepid process 3004 PugRIiJsVbzDZNOwma5.exe -
Drops startup file 1 IoCs
Processes:
PugRIiJsVbzDZNOwma5.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\explorre.url PugRIiJsVbzDZNOwma5.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exeRegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce 608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" 608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe Set value (str) \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\VTqeOCyH = "C:\\Users\\Admin\\AppData\\Roaming\\fRpSdvI\\SoGDo.exe" RegAsm.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PugRIiJsVbzDZNOwma5.exedescription pid process target process PID 3004 set thread context of 4684 3004 PugRIiJsVbzDZNOwma5.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 4684 RegAsm.exe 4684 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
PugRIiJsVbzDZNOwma5.exepid process 3004 PugRIiJsVbzDZNOwma5.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 4684 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 4684 RegAsm.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exePugRIiJsVbzDZNOwma5.execsc.execsc.exedescription pid process target process PID 3480 wrote to memory of 3004 3480 608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe PugRIiJsVbzDZNOwma5.exe PID 3480 wrote to memory of 3004 3480 608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe PugRIiJsVbzDZNOwma5.exe PID 3480 wrote to memory of 3004 3480 608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe PugRIiJsVbzDZNOwma5.exe PID 3004 wrote to memory of 4036 3004 PugRIiJsVbzDZNOwma5.exe csc.exe PID 3004 wrote to memory of 4036 3004 PugRIiJsVbzDZNOwma5.exe csc.exe PID 3004 wrote to memory of 4036 3004 PugRIiJsVbzDZNOwma5.exe csc.exe PID 4036 wrote to memory of 2688 4036 csc.exe cvtres.exe PID 4036 wrote to memory of 2688 4036 csc.exe cvtres.exe PID 4036 wrote to memory of 2688 4036 csc.exe cvtres.exe PID 3004 wrote to memory of 3316 3004 PugRIiJsVbzDZNOwma5.exe csc.exe PID 3004 wrote to memory of 3316 3004 PugRIiJsVbzDZNOwma5.exe csc.exe PID 3004 wrote to memory of 3316 3004 PugRIiJsVbzDZNOwma5.exe csc.exe PID 3316 wrote to memory of 4368 3316 csc.exe cvtres.exe PID 3316 wrote to memory of 4368 3316 csc.exe cvtres.exe PID 3316 wrote to memory of 4368 3316 csc.exe cvtres.exe PID 3004 wrote to memory of 4684 3004 PugRIiJsVbzDZNOwma5.exe RegAsm.exe PID 3004 wrote to memory of 4684 3004 PugRIiJsVbzDZNOwma5.exe RegAsm.exe PID 3004 wrote to memory of 4684 3004 PugRIiJsVbzDZNOwma5.exe RegAsm.exe PID 3004 wrote to memory of 4684 3004 PugRIiJsVbzDZNOwma5.exe RegAsm.exe -
outlook_office_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe -
outlook_win_path 1 IoCs
Processes:
RegAsm.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe"C:\Users\Admin\AppData\Local\Temp\608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PugRIiJsVbzDZNOwma5.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PugRIiJsVbzDZNOwma5.exe2⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ke2bw05r\ke2bw05r.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF784.tmp" "c:\Users\Admin\AppData\Local\Temp\ke2bw05r\CSCCE825AEF9FBF4FA0A25CE8B070D91154.TMP"4⤵PID:2688
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yz2oiji3\yz2oiji3.cmdline"3⤵
- Suspicious use of WriteProcessMemory
PID:3316 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF968.tmp" "c:\Users\Admin\AppData\Local\Temp\yz2oiji3\CSC34921F2B3D05491F8DE1A0A95F3EC97D.TMP"4⤵PID:4368
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4684
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5b7a0753eb703280b32f91ecc43876c6c
SHA123790c26bcebd35b1b2d7a1a0063125cccd17b02
SHA256a9a52c886354f8e04c8312967a3a5c9d62ff2c47159ddc97e25de1bf68880b48
SHA51203ff88d00f866e9fd1a6eff1388a2164d1b266af7836e81cb2cfe93efead71591af7f4262cf1136fbd7ad1ebbed34596370ee6f6717a8823be762431cca70f42
-
Filesize
458KB
MD5b1ef6ee05be3b15ef1e75a17f1d6cc75
SHA1654f5c69b227baa54aac9e2d6183d4ec8a9561a5
SHA2565d8452a8703c4d3fff072c5ea498adadc003347c3c367bee401cbf59046307a1
SHA5127851dac89d32071d40f8028906a70c3903fc94d656ecd71f5100dcd90e98b9ada8f8c669255702a7e7a8dea46abf5c60b882e5e2041ae14666be56a5b2f5f1f6
-
Filesize
458KB
MD5b1ef6ee05be3b15ef1e75a17f1d6cc75
SHA1654f5c69b227baa54aac9e2d6183d4ec8a9561a5
SHA2565d8452a8703c4d3fff072c5ea498adadc003347c3c367bee401cbf59046307a1
SHA5127851dac89d32071d40f8028906a70c3903fc94d656ecd71f5100dcd90e98b9ada8f8c669255702a7e7a8dea46abf5c60b882e5e2041ae14666be56a5b2f5f1f6
-
Filesize
1KB
MD5940e989546ce5c299d795038f50e7c9b
SHA17e92e307dea245b534f057df67629ab08c67b09a
SHA2563711c726512d7a185269ac80da4318e20e5e4cf396f47d58b036d5e40799d2d6
SHA512f4c99a49f5901cc9e8155e447f36d1a0ed4f510367e2af0497a586a7cb9c0bff8871d9ad78efa871a788f7a1514bbd4356d869637cc9cf48220ef879ebf68f8a
-
Filesize
1KB
MD5b08556493d6bba9ca38af0c97537d381
SHA13d30c8c2524f247ebc3aea36f9d6b2a7b5e102d8
SHA256db4c0d3a2355eabc06f347d2548d664495440104e998fa3183e3da8102ac1b6e
SHA512716fc1cd1441529eb2887c052282b2d004ce101b01194273d1df3a2409d03855b9e5f47727b2ea24e69f147530b50762bde54735d3e42eb4877d1926a7aef51b
-
Filesize
846KB
MD52c191051a6cba588ca7a279ef95f645a
SHA12b2b5517f62bf60b91f357e5d6381952d3542dee
SHA256165def7bbfb8e631cdd21501a7354e6210bf94f70d42fd08d46578187c7d977a
SHA51271aa928b82cd216a37939fe38c0e89ae2a77dbce4ab73c4b3c572081d2b81015d1ee797acc9546333b102c5a3546070647050c33d349d0511209ebce5d5421b5
-
Filesize
846KB
MD500be6d926634d91715ca1afeee9c333c
SHA195c972ee8546f87adc432d744e8fd3ff9ab5a657
SHA25688fbe14184de94c616f1f04e9ad87a4b2d1fc58da038da91c492ff371f926f8d
SHA512f56645300d441314e187f665b82f339c8694160b4adad2d6a0339b78725055a01c9e37b4d69802a298f736d75a3250e398c65d370696017e4e58cd85306ae522
-
Filesize
652B
MD5407aefeeefbbdabcb90229bec9b940f5
SHA1ef817acf6b42cec2a35421ac2295619f65652eb9
SHA25627a080e50e0057d6e316a098d7171b3f570dffc4e03cb0820dc85777a8b242d4
SHA51275e2f46e7a40f52b20389c563a7d021e187fccb99cb3b27af52d1bddfbe80adc10b33b7743270e41bd3e9a153575a0bd6d3cb79079bf297a04423e84f3ac0736
-
Filesize
1.2MB
MD5975bfacb6caaf9b0842b1e053a649409
SHA1cb32bc9be9ddbb0fd1933eeb18c8b09a498db977
SHA256905d4ad1818508174b7213757a53b413d443875fdd6491d6db4f57d56bdcddc4
SHA51233045de9fbb355c654b5e5127977d1504ecf56c32698f7c19ad446cde65162560e3227feb729cc424d4a211b9ddfa3de75de12722953ae1c3edd512e44a1ac12
-
Filesize
302B
MD5e0da43b4e4d86387ef5616ebbb5b4d34
SHA1918f09bfb174f0afad8a5c81e220ebcc34c0dc5c
SHA25650628f23984dfb66ad2d2797ff5f7bce8093cece188bf9403b6c98bf67653e08
SHA512e410b831151770e174a87d0cbf951c4273962b4d4d7d4c464191734f93348d8f6d7d35216b2fc8bdd3532cb940e70bb93631ff3bab2ec9109196385be60cedee
-
Filesize
652B
MD53c0c7a9ff25de3544bb65e9cd57abb16
SHA14feefa3686af0530b2f9d52d1b1223f4551dced1
SHA2562cd10e0d316b4d7285d08898bd10ebf617129b9923e0a9d9f3ec5ce7bcbda7a1
SHA51236a037f58b7b84211a8727de5ac0316723e93dbde140dd0d1a77209fd77ab79b2e3670e3f1f1b882b453416ba52a4b2fe2f14eed6bda2377930734893226e2a1
-
Filesize
1.2MB
MD5975bfacb6caaf9b0842b1e053a649409
SHA1cb32bc9be9ddbb0fd1933eeb18c8b09a498db977
SHA256905d4ad1818508174b7213757a53b413d443875fdd6491d6db4f57d56bdcddc4
SHA51233045de9fbb355c654b5e5127977d1504ecf56c32698f7c19ad446cde65162560e3227feb729cc424d4a211b9ddfa3de75de12722953ae1c3edd512e44a1ac12
-
Filesize
302B
MD500081b2006e0ee8017a87f31ed2e92c9
SHA170fae5b16040d6da66a3bf22959d57fcf0132a6d
SHA2564ebf1531ab4900f49505215a75193569a42da80822698ea09077bd5c3e316632
SHA5120bbabf4bf20589f51a2c5c6469755e4b341e0178a3c9f11115f44c3322fbbae3d62eab824365371b71d8cc769c2f88fe837564db8649f0baa20e6abfa28d473b