Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    166s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-10-2022 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    1.8MB

  • MD5

    ed7fa6ec8aa0602b18ac40bf6abff7e6

  • SHA1

    21f14e8533a1143001c0bc1a842cb4f9f4c69a8a

  • SHA256

    341e2d5159578433b9509ab15c1b2acd52162a51531d8c94689286a91eebcdc4

  • SHA512

    3388db86341f13ed30d40942df6b1844c6ebdbe7a360749edec9b23b87ca106ae90082c08648308fc9a9f78a4ffdd0c92855b090aeca52ddc00a903834d856e7

  • SSDEEP

    12288:Lnjo5JZCGepoAgPBEudDgeOYnWZQzjFeM6DJOjB9sTTHyOx+mRfGrwmMeOS34MIy:6ZL0QpfnYQb6VOUROrwE

Score
10/10
agentteslaremcosremotehostcollectionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.fishtrans.ro
  • Port:
    587
  • Username:
    depozit@fishtrans.ro
  • Password:
    Filepangasius2000

Extracted

Family

remcos

Botnet

RemoteHost

C2

mam.mastercoa.co:37824

Attributes
  • audio_folder

    MicRecords

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    1

  • copy_file

    remcos.exe

  • copy_folder

    Remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • mouse_option

    false

  • mutex

    Rmc-3FCFQU

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screenshots

  • screenshot_path

    %AppData%

  • screenshot_time

    10

  • startup_value

    Remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Remcos

    Remcos is a closed-source remote control and surveillance software.

    ratremcos
  • NirSoft MailPassView 1 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 4 IoCs
  • Executes dropped EXE 3 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
    collection
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Suspicious use of SetThreadContext 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:792
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMQA1AA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3068
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\vyrbubpborjkgpmh"
        3⤵
          PID:4180
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\vyrbubpborjkgpmh"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4532
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\xtxuumadczbxieatnzx"
          3⤵
          • Accesses Microsoft Outlook accounts
          PID:4224
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe /stext "C:\Users\Admin\AppData\Local\Temp\ivknvelwqitcskxxwcjtdsj"
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2344
        • C:\Users\Admin\AppData\Local\Temp\dwn.exe
          "C:\Users\Admin\AppData\Local\Temp\dwn.exe"
          3⤵
          • Executes dropped EXE
          • Checks computer location settings
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2144
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAAMwAwAA==
            4⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:936
          • C:\Users\Admin\AppData\Local\Temp\dwn.exe
            C:\Users\Admin\AppData\Local\Temp\dwn.exe
            4⤵
            • Executes dropped EXE
            PID:2324
          • C:\Users\Admin\AppData\Local\Temp\dwn.exe
            C:\Users\Admin\AppData\Local\Temp\dwn.exe
            4⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2352

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Email Collection

    2
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dwn.exe.log
      Filesize

      1KB

      MD5

      7e88081fcf716d85992bb3af3d9b6454

      SHA1

      2153780fbc71061b0102a7a7b665349e1013e250

      SHA256

      5ffb4a3ea94a6a53c4f88e2191c6fec5fd8a7336e367aa113fe8c12631e0c4d2

      SHA512

      ec606e14367ae221c04f213a61a6f797034495121198e4788e3afa4aa8db67bf59c5c5210a56afae5557158e8923b013b371b84c7d64303618c5b4c57a2224f7

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      1KB

      MD5

      4280e36a29fa31c01e4d8b2ba726a0d8

      SHA1

      c485c2c9ce0a99747b18d899b71dfa9a64dabe32

      SHA256

      e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359

      SHA512

      494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache
      Filesize

      53KB

      MD5

      06ad34f9739c5159b4d92d702545bd49

      SHA1

      9152a0d4f153f3f40f7e606be75f81b582ee0c17

      SHA256

      474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba

      SHA512

      c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      16KB

      MD5

      6cdeccc3b83068359edc9e9af53035b6

      SHA1

      b51b1113ee0d91931a4cc39fe96005d4c076c27a

      SHA256

      a92a68317a9ec345a7f67afab48f87b76c25902d34fec6f926ede45adbbcf7b0

      SHA512

      1ded1a606e1091d641b4c7e882733150a1fe29d025bd6f658596080a4ac8cfda0c23f89f518242a247a68f92c8c96618cfc516afbe9c9df69ee5d46cd6b9ba23

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dwn.exe
      Filesize

      1.5MB

      MD5

      24a24d65b79918f7e66562a87fee6092

      SHA1

      8bfe971f81d0e660e923d097e54d8851d49f23b1

      SHA256

      d985c6aae8f8244cae60bea8e32dc0be60af18ce2773dc1937e7080c4e851662

      SHA512

      3f9e3fa44f52a5ab13d3cad82168a9cc215cd6d06edccd1ee0d3ca2023a10f9a9ff5a3e97316c5a2ea9e9124791181c3156b36b0ced099a9993b055f459d52eb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dwn.exe
      Filesize

      1.5MB

      MD5

      24a24d65b79918f7e66562a87fee6092

      SHA1

      8bfe971f81d0e660e923d097e54d8851d49f23b1

      SHA256

      d985c6aae8f8244cae60bea8e32dc0be60af18ce2773dc1937e7080c4e851662

      SHA512

      3f9e3fa44f52a5ab13d3cad82168a9cc215cd6d06edccd1ee0d3ca2023a10f9a9ff5a3e97316c5a2ea9e9124791181c3156b36b0ced099a9993b055f459d52eb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dwn.exe
      Filesize

      1.5MB

      MD5

      24a24d65b79918f7e66562a87fee6092

      SHA1

      8bfe971f81d0e660e923d097e54d8851d49f23b1

      SHA256

      d985c6aae8f8244cae60bea8e32dc0be60af18ce2773dc1937e7080c4e851662

      SHA512

      3f9e3fa44f52a5ab13d3cad82168a9cc215cd6d06edccd1ee0d3ca2023a10f9a9ff5a3e97316c5a2ea9e9124791181c3156b36b0ced099a9993b055f459d52eb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dwn.exe
      Filesize

      1.5MB

      MD5

      24a24d65b79918f7e66562a87fee6092

      SHA1

      8bfe971f81d0e660e923d097e54d8851d49f23b1

      SHA256

      d985c6aae8f8244cae60bea8e32dc0be60af18ce2773dc1937e7080c4e851662

      SHA512

      3f9e3fa44f52a5ab13d3cad82168a9cc215cd6d06edccd1ee0d3ca2023a10f9a9ff5a3e97316c5a2ea9e9124791181c3156b36b0ced099a9993b055f459d52eb

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\vyrbubpborjkgpmh
      Filesize

      4KB

      MD5

      30177e1276595fd69ea96b692f49d776

      SHA1

      75769c29031ca1ad8e175dd700c74b5e35c5b0c7

      SHA256

      76d4066990e2ee2776f733a25ce23e9af545fd6f1a3b5760d603bdc05d9402d5

      SHA512

      ccdf20174d299de8ec21445faaf4ebe95c04bd7634c9fe138ba54262b754620c2dfd53a5c94b7d53518181d2eab7b5c97d7933d3a66d05220b06aee120893d4b

      Download Submit
    • memory/792-132-0x0000000000450000-0x0000000000616000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/792-133-0x00000000059F0000-0x0000000005A12000-memory.dmp
      Filesize

      136KB

      Download
    • memory/936-160-0x0000000000000000-mapping.dmp
      Download
    • memory/2144-154-0x0000000000000000-mapping.dmp
      Download
    • memory/2144-157-0x0000000000D00000-0x0000000000E86000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2324-165-0x0000000000000000-mapping.dmp
      Download
    • memory/2344-150-0x0000000000000000-mapping.dmp
      Download
    • memory/2344-151-0x0000000000400000-0x0000000000424000-memory.dmp
      Filesize

      144KB

      Download
    • memory/2352-167-0x0000000000000000-mapping.dmp
      Download
    • memory/2352-175-0x0000000006610000-0x000000000661A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2352-174-0x0000000006680000-0x0000000006712000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2352-173-0x0000000006220000-0x0000000006270000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2352-172-0x0000000005090000-0x000000000512C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2352-171-0x0000000005640000-0x0000000005BE4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2352-168-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

      Download
    • memory/2504-146-0x0000000000400000-0x000000000047F000-memory.dmp
      Filesize

      508KB

      Download
    • memory/2504-164-0x0000000000400000-0x000000000047F000-memory.dmp
      Filesize

      508KB

      Download
    • memory/2504-145-0x0000000000400000-0x000000000047F000-memory.dmp
      Filesize

      508KB

      Download
    • memory/2504-142-0x0000000000000000-mapping.dmp
      Download
    • memory/2504-144-0x0000000000400000-0x000000000047F000-memory.dmp
      Filesize

      508KB

      Download
    • memory/2504-143-0x0000000000400000-0x000000000047F000-memory.dmp
      Filesize

      508KB

      Download
    • memory/3068-137-0x0000000005990000-0x00000000059F6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3068-135-0x0000000002B90000-0x0000000002BC6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3068-139-0x0000000006140000-0x000000000615E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3068-140-0x0000000007990000-0x000000000800A000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/3068-136-0x0000000005360000-0x0000000005988000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3068-141-0x0000000006630000-0x000000000664A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3068-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3068-138-0x0000000005AB0000-0x0000000005B16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4180-147-0x0000000000000000-mapping.dmp
      Download
    • memory/4224-152-0x0000000000400000-0x0000000000457000-memory.dmp
      Filesize

      348KB

      Download
    • memory/4224-149-0x0000000000000000-mapping.dmp
      Download
    • memory/4532-158-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/4532-153-0x0000000000400000-0x0000000000478000-memory.dmp
      Filesize

      480KB

      Download
    • memory/4532-148-0x0000000000000000-mapping.dmp
      Download