Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
-
submitted
12-12-2023 07:48
General
-
Target
Para Transferi Bilgilendirmesi-dekont.exe
-
Size
893KB
-
MD5
21d1df1da2e98a9ab9268712b8448e84
-
SHA1
37c3233503068ba139bddcd9569ebaa068265590
-
SHA256
a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db
-
SHA512
b6eda1358566719b0bd5923caad17d3f678b816eff8bc613a1930ec0f83fe8a4ea65194a15ebf2fb1458b8889b369483e19107eac955e0ea0c380ff3c456bd63
-
SSDEEP
24576:K5xolYQY65XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA:dYkXXXXXXXXXXXXXXXXXXXXXXXXXXXXQ
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.aksumer.com - Port:
21 - Username:
aksumerc - Password:
211116.kS*-
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
ZGRat
ZGRat is remote access trojan written in C#.
-
Modifies Installed Components in the registry 2 TTPs 8 IoCs
-
Executes dropped EXE 8 IoCs
-
Loads dropped DLL 13 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 15 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Para Transferi Bilgilendirmesi-dekont.exe"C:\Users\Admin\AppData\Local\Temp\Para Transferi Bilgilendirmesi-dekont.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe"c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe "2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe"c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe "3⤵
- Executes dropped EXE
-
\??\c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe"c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe "3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe3⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\at.exeat 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
-
C:\Windows\SysWOW64\at.exeat 07:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe6⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
274KB
MD5cef1aa1ee74f6a2a28044171206a2796
SHA142d14accd64b2dc044307805736805489a903dd1
SHA256c480463abc1e73e04ecc270d5c5fcc8775e9e383b1ad7774bda69869de5b4d8a
SHA5122afcf9b0cd67051c98a8c1dcd5390204217056688fec615f3f458a38a3250401f17fee254375580a95730e751d43ace9379eeffa09207da8da98de6393debd36
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
619KB
MD54783d50da091b2f50da381fd4a7b8e2d
SHA1f9504f9cd2695f0ac818596f250a4fe1ef7ca866
SHA25635eee52488a800617b5ba6e6b01f3de68cd89a248c078fcc8126fdb7e7849dfd
SHA512396c4d55da768d43d238607b7e3ad46ce325ed906843245b03f56503498c451509d495c65672bde0d42833a45a77df762a715f15151937d5aa88ad3c78ad84f0
-
Filesize
274KB
MD514b830b4552f61582f4440b712ee9af2
SHA174b5d677e14341d51af472a8673415fc1080896d
SHA2565291cc6ac0d6d64f6f93bfd1bf9e6a13ab9f343e343a599e1bcd718dc8549d3f
SHA512224ea6ea3a34f67646ed4aa6e515f6baefe26df371db94cbde2df1988987d7300638f22b9e898cec93466b40060b148f6b149fe75081e38fd001bf0f3334e86b
-
Filesize
274KB
MD5725d21c558da9d5b59a17fb50d20818d
SHA1f9cf43bbd58cd2b4804ddbd6b89655e08280e299
SHA256c1c0f3e5f4ecaf4823b56fa63b82128b5b23381713f5cb88eb08bc58c36ec9e8
SHA5128468bc7f8e8a92e81a429a5af5d04a21acdee7ccad449322db2c66d4de4220338148ea09edc55cddde20ee81582b35e99bf1de99afe0fd712534838bec62f337
-
Filesize
274KB
MD54d0ce7408bcefada54781f8f526e9ffb
SHA17a252c77035f6fcff43684667ddd3bfc07b3a965
SHA25617af968ba041b618f56dbb864278330d1ca5654f8e9f63d97452fbc8d4895f65
SHA512df35ae429ad6dcc479c53bac9b1010da8b35c8187411ca8c99bc8a9f4f275e64a207196d866bba4b7c8bd8d7bdb8fe74c0c6aecf25b5a3ba1332fc1732a161bf
-
Filesize
274KB
MD501c17645364a0357a3c3587119a2a53a
SHA1ecc184c6b773b32c4d62b9ba49249f2963405afd
SHA2563c60d00e10fb5d7d1532ca96de414e3ef77cadeb20e604879edd015e75d0f0dc
SHA512b5a99490a17feb06ac414084f7e76befcc1391b426efd06e68284693139e118d02fe41f9e1755db96d3bcdbe370707398ba4238d7ac281e8753df74c14c2dfa7
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
488KB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
640KB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
96KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB
-
Filesize
248KB