Overview

overview

10

Static

static

3

Para Trans...nt.exe

windows7-x64

10

Para Trans...nt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-12-2023 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Para Transferi Bilgilendirmesi-dekont.exe

  • Size

    893KB

  • MD5

    21d1df1da2e98a9ab9268712b8448e84

  • SHA1

    37c3233503068ba139bddcd9569ebaa068265590

  • SHA256

    a6aecca7d8f0cf861ae32b0ce54822e1d3c82e94685861b130c842f602b9d7db

  • SHA512

    b6eda1358566719b0bd5923caad17d3f678b816eff8bc613a1930ec0f83fe8a4ea65194a15ebf2fb1458b8889b369483e19107eac955e0ea0c380ff3c456bd63

  • SSDEEP

    24576:K5xolYQY65XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXA:dYkXXXXXXXXXXXXXXXXXXXXXXXXXXXXQ

Score
10/10
agentteslazgratevasionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.aksumer.com
  • Port:
    21
  • Username:
    aksumerc
  • Password:
    211116.kS*-

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.aksumer.com
  • Port:
    21
  • Username:
    aksumerc
  • Password:
    211116.kS*-

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 1 IoCs
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Modifies Installed Components in the registry 2 TTPs 8 IoCs
    persistence
  • Executes dropped EXE 7 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Para Transferi Bilgilendirmesi-dekont.exe
    "C:\Users\Admin\AppData\Local\Temp\Para Transferi Bilgilendirmesi-dekont.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1788
    • \??\c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe 
      "c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe "
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4788
      • \??\c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe 
        "c:\users\admin\appdata\local\temp\para transferi bilgilendirmesi-dekont.exe "
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2936
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2356
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Modifies Installed Components in the registry
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:5060
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4460
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Modifies Installed Components in the registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3920
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:4356
            • C:\Windows\SysWOW64\at.exe
              at 07:50 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
                PID:960
              • C:\Windows\SysWOW64\at.exe
                at 07:51 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:1264
                • C:\Windows\SysWOW64\at.exe
                  at 07:52 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  6⤵
                    PID:1260

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\para transferi bilgilendirmesi-dekont.exe .log
          Filesize

          1KB

          MD5

          8ec831f3e3a3f77e4a7b9cd32b48384c

          SHA1

          d83f09fd87c5bd86e045873c231c14836e76a05c

          SHA256

          7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

          SHA512

          26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\para transferi bilgilendirmesi-dekont.exe 
          Filesize

          619KB

          MD5

          4783d50da091b2f50da381fd4a7b8e2d

          SHA1

          f9504f9cd2695f0ac818596f250a4fe1ef7ca866

          SHA256

          35eee52488a800617b5ba6e6b01f3de68cd89a248c078fcc8126fdb7e7849dfd

          SHA512

          396c4d55da768d43d238607b7e3ad46ce325ed906843245b03f56503498c451509d495c65672bde0d42833a45a77df762a715f15151937d5aa88ad3c78ad84f0

          Download Submit

        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          274KB

          MD5

          14b830b4552f61582f4440b712ee9af2

          SHA1

          74b5d677e14341d51af472a8673415fc1080896d

          SHA256

          5291cc6ac0d6d64f6f93bfd1bf9e6a13ab9f343e343a599e1bcd718dc8549d3f

          SHA512

          224ea6ea3a34f67646ed4aa6e515f6baefe26df371db94cbde2df1988987d7300638f22b9e898cec93466b40060b148f6b149fe75081e38fd001bf0f3334e86b

          Download Submit

        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          274KB

          MD5

          571e262c0f061adf75cb08905f57c5b1

          SHA1

          f687bf2b321f06be9f8618be6bcfa6ce7ec664a5

          SHA256

          826e778bb7db15dfdb2951c861c29570b870005103f06f938027cdc7c6dbc5ff

          SHA512

          b19cb0be660696dc9854f4d7c2329b91e2f199a9927ea783224d53f8a6d2e5fccb19d263183609f9b0e91cd2cbc338133c95d73678083f2d4c97f3b7ba6b2686

          Download Submit

        • C:\Windows\System\explorer.exe
          Filesize

          274KB

          MD5

          36939ebe2ab290fb1113efa91d7e12a9

          SHA1

          fcf398eabe48e1f7d5ec1e45eea8eb2b0c1b3fb8

          SHA256

          de85cc6722dae3f055fed01c891428dfb163cf879d0b809d84a9a850befdfc43

          SHA512

          7dc145045e51b1ba8d6db237dbdedd4fba2cb4c9c6371bcd1fee742e9e79f373e0bbbd90668af219351f4741bd754337c33c04c896c0a0c02704bfde8d20ed7b

          Download Submit

        • C:\Windows\System\svchost.exe
          Filesize

          274KB

          MD5

          d17136b20f2fd6b1d5973785eca19932

          SHA1

          a4a43d091ab31382bf89b077f54e0d35a699480e

          SHA256

          73cd164640846fc3e14001ee1d36985ff952321002c0e4cb94475f5d13dfc1b2

          SHA512

          4b603daaded7c6c3a0b1bf6ee10a89b7de580624b6663cc6c888964f982fb724d531cde7d9638e13f091f33c983adbe0616e6097647570cb0e0a9c58d963101e

          Download Submit

        • \??\c:\windows\system\spoolsv.exe
          Filesize

          274KB

          MD5

          02e27c3b8971975870ec9928cec4d179

          SHA1

          d14e26f7ef831b7695e21294d876fa022874c0ec

          SHA256

          8d25e0a11eb90273186a02f5bb6f5da4c839721737b55ac77e2e89c987f48145

          SHA512

          407b3a10fd7da972ab41f07ddb079aaea8c47049f8fa29c9f879a430c89d9b710aabc0c09a4ff4580cb6b75732cb286a176fad8cdf4a80c7bc6905cbd70ef7e2

          Download Submit

        • \??\c:\windows\system\svchost.exe
          Filesize

          246KB

          MD5

          141ffbf4d261af2194fa9f2cd5f3f683

          SHA1

          779f1c84b42e91d0f6b9abc8702a08836a9f33af

          SHA256

          918af9c81e3bba0ae2da2797bb693cdd7c4b595fe7c3ff5cc48d824bab247e09

          SHA512

          3f91a236b2375ce3c078e1a9387ded0f5f6eb5469db02d5e52c59a0da215147811952f625b2b70b62e0651895ed48e9bbc63211e63253ba0e62ebcf3d44c2cd1

          Download Submit

        • memory/1788-57-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/1788-0-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2356-18-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2356-56-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2936-69-0x0000000074940000-0x00000000750F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2936-71-0x00000000058D0000-0x0000000005936000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2936-74-0x0000000005690000-0x00000000056A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2936-70-0x0000000005690000-0x00000000056A0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2936-64-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2936-73-0x0000000074940000-0x00000000750F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2936-72-0x0000000006E20000-0x0000000006E70000-memory.dmp

          Filesize

          320KB

          Download

        • memory/4356-52-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4460-55-0x0000000000400000-0x000000000043E000-memory.dmp

          Filesize

          248KB

          Download

        • memory/4788-59-0x0000000074940000-0x00000000750F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4788-60-0x00000000056A0000-0x00000000056B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4788-61-0x0000000005820000-0x000000000582A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4788-62-0x000000000A4C0000-0x000000000A53A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/4788-63-0x0000000009150000-0x00000000091EC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/4788-44-0x0000000005710000-0x0000000005718000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4788-40-0x00000000057B0000-0x00000000057C8000-memory.dmp

          Filesize

          96KB

          Download

        • memory/4788-68-0x0000000074940000-0x00000000750F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4788-14-0x00000000054A0000-0x00000000054AA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/4788-13-0x00000000056A0000-0x00000000056B0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4788-12-0x0000000005500000-0x0000000005592000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4788-11-0x0000000005A10000-0x0000000005FB4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/4788-10-0x0000000074940000-0x00000000750F0000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/4788-9-0x0000000000A00000-0x0000000000AA0000-memory.dmp

          Filesize

          640KB

          Download