Overview

overview

10

Static

static

1

SecuriteIn...10.exe

windows7-x64

1

SecuriteIn...10.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-12-2023 11:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.GenericKD.65594079.25944.10510.exe

  • Size

    1.5MB

  • MD5

    ee0a61b47e6676cce5c6908cfe8d9f98

  • SHA1

    a7636fc89e3e076b1e8bdc2fa7b3ae3f7ba126c2

  • SHA256

    be1e625483202184962d61f45c1c31c00a18063376a91ce7bae5ed72169d05f2

  • SHA512

    cc644964da0fa26bcdfc5d92aedb6527e098fd19bbb40308df6c16b5df9aebbd5f463a59285a19081915d08dbedeedf90adda0ebcf59902ec8117777cdf2ff72

  • SSDEEP

    24576:zU3iOHs23wM460Q9kB1dExumukxUhj4oEjqFzqMAxHbQaHhizTM8T6H:A3K8wVWe0NUhkoEjqFztAxhN46H

Score
10/10
agentteslarhadamanthyscollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.bilbonne.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    YuKPdqG2

Extracted

Family

rhadamanthys

C2

http://212.193.30.32/upload/libcurl.dll

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect rhadamanthys stealer shellcode 3 IoCs
  • Rhadamanthys

    Rhadamanthys is an info stealer written in C++ first seen in August 2022.

    stealerrhadamanthys
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2452
      • C:\Windows\SysWOW64\fontview.exe
        "C:\Windows\SYSWOW64\fontview.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:4348
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.65594079.25944.10510.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.GenericKD.65594079.25944.10510.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4432
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
        2⤵
          PID:2540
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
          2⤵
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:4796
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 576
          2⤵
          • Program crash
          PID:4404
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4432 -s 568
          2⤵
          • Program crash
          PID:4148
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4432 -ip 4432
        1⤵
          PID:4032
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4432 -ip 4432
          1⤵
            PID:3016

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\240622796.dll
            Filesize

            334KB

            MD5

            8596736c157f4e9d597e640b5fd272c2

            SHA1

            52c13d50177761027cf834200909cb8871e2bfc0

            SHA256

            7788d59ce9a3935ac67aadd1d6da93feb8a6c2c4ee8b53fba51b93a8f42b3a7a

            SHA512

            ceb67ced3657617fbe6485642e92c44e672fc39f4c1770a92323bccee636aebeea3b788b9297787db1bb0945e194f2aa245e7f02743207577eca160488ca7d37

            Download Submit

          • memory/4348-30-0x0000000001250000-0x0000000001252000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4348-27-0x0000000000D60000-0x0000000000D93000-memory.dmp

            Filesize

            204KB

            Download

          • memory/4348-36-0x0000000000D60000-0x0000000000D93000-memory.dmp

            Filesize

            204KB

            Download

          • memory/4348-32-0x0000000001270000-0x000000000128C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4348-28-0x00000000012A0000-0x00000000013A0000-memory.dmp

            Filesize

            1024KB

            Download

          • memory/4348-29-0x0000000001270000-0x000000000128C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4348-12-0x0000000000D60000-0x0000000000D93000-memory.dmp

            Filesize

            204KB

            Download

          • memory/4348-34-0x0000000002C30000-0x0000000003C30000-memory.dmp

            Filesize

            16.0MB

            Download

          • memory/4348-15-0x0000000000D60000-0x0000000000D93000-memory.dmp

            Filesize

            204KB

            Download

          • memory/4348-35-0x0000000001270000-0x000000000128C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4432-23-0x0000000002EA0000-0x0000000002FF5000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/4432-24-0x000000000FDF0000-0x000000001001B000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/4432-2-0x000000000FDF0000-0x000000001001B000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/4432-3-0x000000000FDF0000-0x000000001001B000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/4432-1-0x0000000002EA0000-0x0000000002FF5000-memory.dmp

            Filesize

            1.3MB

            Download

          • memory/4796-19-0x0000000005FD0000-0x0000000006036000-memory.dmp

            Filesize

            408KB

            Download

          • memory/4796-22-0x0000000006CE0000-0x0000000006CEA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4796-18-0x0000000005960000-0x0000000005978000-memory.dmp

            Filesize

            96KB

            Download

          • memory/4796-17-0x0000000005350000-0x00000000053EC000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4796-26-0x0000000073320000-0x0000000073AD0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4796-14-0x00000000059B0000-0x0000000005F54000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/4796-16-0x0000000005340000-0x0000000005350000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4796-31-0x0000000005340000-0x0000000005350000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4796-7-0x0000000073320000-0x0000000073AD0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4796-6-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4796-20-0x00000000067F0000-0x0000000006840000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4796-4-0x0000000000400000-0x000000000043C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4796-21-0x00000000069D0000-0x0000000006A62000-memory.dmp

            Filesize

            584KB

            Download