Overview

overview

10

Static

static

1

20230328.bat.exe

windows7-x64

10

20230328.bat.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-03-2023 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20230328.bat.exe

  • Size

    632KB

  • MD5

    57f282205cc0abd33d339ccedf0df2f1

  • SHA1

    1cf7ba24d1157a1b4add218db224d34c2bb416dc

  • SHA256

    6b33dcd29a3bddb0574c50b604db51b808c0909df8beeb575fea8979ce55dd49

  • SHA512

    ed55a50893e0e1d9d5fb38343f3e7125dcb4217b9c9c16f7bc16dd3fc8db02a937ce3f9f36512b582d1bf94e5327c7505b9a9b923693b84b0c3fe0054f8caf60

  • SSDEEP

    6144:sMm4CCHM4NL26fgvHOg3UXy5bpBUWwVl57DDCu96qvjIegLl3:sMwg/NL26fgvHOFyrKxl7vCM6qbIeal3

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Loads dropped DLL 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20230328.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\20230328.bat.exe"
    1⤵
    • Checks QEMU agent file
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
      "C:\Users\Admin\AppData\Local\Temp\20230328.bat.exe"
      2⤵
        PID:952
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
        "C:\Users\Admin\AppData\Local\Temp\20230328.bat.exe"
        2⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of AdjustPrivilegeToken
        PID:1252
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1252 -s 2144
          3⤵
          • Program crash
          PID:2076
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1252 -ip 1252
      1⤵
        PID:1364

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\nsx7574.tmp\AdvSplash.dll
        Filesize

        6KB

        MD5

        1871af84805057b5ebc05ee46b56625d

        SHA1

        50e1c315ad30f5f3f300c7cd9dd0d5d626fe0167

        SHA256

        62b3db0446750ca9fd693733eec927acc1f50012a47785343286e63b650b7621

        SHA512

        c1979ee98dfdb807776c439218528d80b4b244a87e692f1538e40f9c2c82db8b77485eb1429325b6f44419bf1f4cd454e43ff381eff077a8b4f4d9eb0d7e54d4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\nsx7574.tmp\System.dll
        Filesize

        12KB

        MD5

        564bb0373067e1785cba7e4c24aab4bf

        SHA1

        7c9416a01d821b10b2eef97b80899d24014d6fc1

        SHA256

        7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

        SHA512

        22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

        Download Submit

      • memory/1252-167-0x0000000036340000-0x00000000368E4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/1252-150-0x0000000001100000-0x0000000002DDF000-memory.dmp

        Filesize

        28.9MB

        Download

      • memory/1252-151-0x0000000001100000-0x0000000002DDF000-memory.dmp

        Filesize

        28.9MB

        Download

      • memory/1252-164-0x0000000000400000-0x000000000062B000-memory.dmp

        Filesize

        2.2MB

        Download

      • memory/1252-165-0x0000000001100000-0x0000000002DDF000-memory.dmp

        Filesize

        28.9MB

        Download

      • memory/1252-166-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/1252-169-0x0000000001070000-0x00000000010D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/1252-170-0x0000000035EF0000-0x0000000035F00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1252-171-0x00000000368F0000-0x0000000036982000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1252-172-0x00000000362F0000-0x00000000362FA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1252-173-0x0000000001100000-0x0000000002DDF000-memory.dmp

        Filesize

        28.9MB

        Download

      • memory/3132-149-0x0000000004960000-0x000000000663F000-memory.dmp

        Filesize

        28.9MB

        Download

      • memory/3132-148-0x0000000004960000-0x000000000663F000-memory.dmp

        Filesize

        28.9MB

        Download