Overview

overview

10

Static

static

3

Statement ...nt.exe

windows7-x64

10

Statement ...nt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    268s
  • max time network
    271s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    12-12-2023 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Statement of Account.exe

  • Size

    665KB

  • MD5

    8cde3c38aba1d12314914ef9f392f249

  • SHA1

    41bf1c60d192446b192bf8de0906af8e4e35c38f

  • SHA256

    662d11eea0dab34f36fa8f01e49c9ddea9d111e71d0509fa25993525e486d837

  • SHA512

    7e2f1256a404438566da00fbecb33ce6e186a363b8043d7f9a9f7cda39cc2e2afcc05b35d25ac10c6415c576824e5c6ab7ca4132dcb282eca7b87721cf3eccf7

  • SSDEEP

    12288:QjHbc+4WpAEAy7sE3vSQq32CqHUjEWl4kFx2T9DcLEOyylTQK+p3c+z+:6pAEoAtqmCYkFx25aFuK+G+

Score
10/10
agentteslazgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.asiaparadisehotel.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    KTNL)LqQaA(8

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Statement of Account.exe
    "C:\Users\Admin\AppData\Local\Temp\Statement of Account.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2056
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\leKTJR.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2836
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\leKTJR" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB442.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2764
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:2428
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        2⤵
          PID:2844
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          2⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2568

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmpB442.tmp
        Filesize

        1KB

        MD5

        0097d2124d7a0c37f2b87fbfd44aeab0

        SHA1

        88da3a1cfda92729be46f4ed5298c913d305fb2b

        SHA256

        3b06c9e9389c77b0eb2a863df3f1cf743b643fcc3471131ccfe9f05582a65968

        SHA512

        f5e439a150551b7aad2f8fa5d500cf25a047ac9212feed7e8b65e84c661309f7691b9fdd2a880a803198903c0752aca9bba934b2a0e1deabf3bd72190ae7cc38

        Download Submit

      • memory/2056-0-0x0000000000830000-0x00000000008DC000-memory.dmp

        Filesize

        688KB

        Download

      • memory/2056-1-0x00000000746E0000-0x0000000074DCE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2056-2-0x0000000004F40000-0x0000000004F80000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2056-3-0x00000000004B0000-0x00000000004C8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2056-4-0x0000000000310000-0x0000000000318000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2056-5-0x00000000004D0000-0x00000000004DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2056-6-0x0000000005AC0000-0x0000000005B3C000-memory.dmp

        Filesize

        496KB

        Download

      • memory/2056-25-0x00000000746E0000-0x0000000074DCE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2568-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2568-31-0x0000000073550000-0x0000000073C3E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2568-18-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2568-15-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2568-22-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2568-14-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2568-24-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2568-27-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2568-37-0x0000000073550000-0x0000000073C3E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2568-16-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2568-30-0x0000000004890000-0x00000000048D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2568-36-0x0000000004890000-0x00000000048D0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2836-29-0x000000006EC30000-0x000000006F1DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2836-33-0x00000000026A0000-0x00000000026E0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2836-34-0x000000006EC30000-0x000000006F1DB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2836-32-0x00000000026A0000-0x00000000026E0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2836-28-0x000000006EC30000-0x000000006F1DB000-memory.dmp

        Filesize

        5.7MB

        Download