Overview

overview

10

Static

static

1

FİYAT İS...23.exe

windows7-x64

10

FİYAT İS...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    115s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2023 07:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FİYAT İSTEĞİ82032023.exe

  • Size

    500KB

  • MD5

    01f1e05c0db18b1197abe20d9d7fe39d

  • SHA1

    36ff0a02c57f1150c6dffa5d620cdc357181604d

  • SHA256

    446e23b2ec4a53c537ae29ff5964958702510c8b46c72b68d9141f238a5fe691

  • SHA512

    a013168eb1173a619a8ff93292878faa60f8635ff51d23f0e4aaadb61e4dce46186255aef35932f1003b570d6868f0e5bf4b21fe9b4f257dff870cb449053913

  • SSDEEP

    12288:Oowkeve7u1hSFHAHnQTRrZYO1HLLY5dXmktgCOfMUd+d:OowdvcunegHQT7YO1HL0dXmTCv

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5409839916:AAEYUYZy0IhJQAm4VXi620si4okGW8FDL2w/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 2 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 4 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FİYAT İSTEĞİ82032023.exe
    "C:\Users\Admin\AppData\Local\Temp\FİYAT İSTEĞİ82032023.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Adds Run key to start application
    • Maps connected drives based on registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4896
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1224
      • C:\Windows\system32\schtasks.exe
        schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'
        3⤵
        • Creates scheduled task(s)
        PID:2996
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8A62.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:3052
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Looks for VirtualBox Guest Additions in registry
        • Looks for VMWare Tools registry key
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Maps connected drives based on registry
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:264
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
          4⤵
            PID:2604
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
            4⤵
              PID:4620
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
              4⤵
                PID:4104
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
                4⤵
                  PID:3592
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
                  4⤵
                    PID:4552
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
                    4⤵
                      PID:3668
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
                      4⤵
                        PID:3848
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
                        4⤵
                          PID:948
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                          4⤵
                          • Accesses Microsoft Outlook profiles
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of SetWindowsHookEx
                          • outlook_office_path
                          • outlook_win_path
                          PID:3652

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Local\Temp\tmp8A62.tmp.bat
                    Filesize

                    151B

                    MD5

                    2034a58e463ac8580b7a2e7f73440bb4

                    SHA1

                    b4874ac8779c6ffb9d867c3518311d2498e761e9

                    SHA256

                    a67e59c0cb7860fa9b49673f29507bccee323826b748800fb18651cf6eac2b94

                    SHA512

                    3a1b27348f10c245296784b1079a37fd2932ab4c8d4719a916c0d8f6435be0426fdc2dbf25e1fc65ed3beeebe82fe6600612c612c8b808dbc4d6ed46289a1310

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\svchost.exe
                    Filesize

                    500KB

                    MD5

                    01f1e05c0db18b1197abe20d9d7fe39d

                    SHA1

                    36ff0a02c57f1150c6dffa5d620cdc357181604d

                    SHA256

                    446e23b2ec4a53c537ae29ff5964958702510c8b46c72b68d9141f238a5fe691

                    SHA512

                    a013168eb1173a619a8ff93292878faa60f8635ff51d23f0e4aaadb61e4dce46186255aef35932f1003b570d6868f0e5bf4b21fe9b4f257dff870cb449053913

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\svchost.exe
                    Filesize

                    500KB

                    MD5

                    01f1e05c0db18b1197abe20d9d7fe39d

                    SHA1

                    36ff0a02c57f1150c6dffa5d620cdc357181604d

                    SHA256

                    446e23b2ec4a53c537ae29ff5964958702510c8b46c72b68d9141f238a5fe691

                    SHA512

                    a013168eb1173a619a8ff93292878faa60f8635ff51d23f0e4aaadb61e4dce46186255aef35932f1003b570d6868f0e5bf4b21fe9b4f257dff870cb449053913

                    Download Submit

                  • memory/3652-145-0x0000000005C30000-0x00000000061D4000-memory.dmp

                    Filesize

                    5.6MB

                    Download

                  • memory/3652-143-0x0000000000400000-0x000000000043A000-memory.dmp

                    Filesize

                    232KB

                    Download

                  • memory/3652-146-0x0000000005680000-0x000000000571C000-memory.dmp

                    Filesize

                    624KB

                    Download

                  • memory/3652-147-0x0000000006390000-0x00000000063F6000-memory.dmp

                    Filesize

                    408KB

                    Download

                  • memory/3652-148-0x00000000055D0000-0x00000000055E0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3652-149-0x00000000069A0000-0x00000000069F0000-memory.dmp

                    Filesize

                    320KB

                    Download

                  • memory/3652-153-0x00000000071D0000-0x0000000007262000-memory.dmp

                    Filesize

                    584KB

                    Download

                  • memory/3652-154-0x0000000007170000-0x000000000717A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/3652-155-0x00000000055D0000-0x00000000055E0000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4896-134-0x00000257B5630000-0x00000257B5640000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/4896-133-0x00000257B38F0000-0x00000257B3972000-memory.dmp

                    Filesize

                    520KB

                    Download