Overview

overview

10

Static

static

3

3d0067132e...8e.exe

windows7-x64

10

3d0067132e...8e.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2024, 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3d0067132eaf46799e57c10223a025e001e82583b9972f1805b38de605fda98e.exe

  • Size

    1.5MB

  • MD5

    4d6439772f29b66188b9898a9639ce0c

  • SHA1

    13f853f2c8d1bcf94ee1fad9c4950212103db0f4

  • SHA256

    3d0067132eaf46799e57c10223a025e001e82583b9972f1805b38de605fda98e

  • SHA512

    4633ebe0d84f24a7ecb3ef248d4c3866406e45d4c9d2abbc99f3bcf1a50e52f68353d040b8e7710ac9de7d09d861623ff23778e9d5fe77dc10a5b42652fee1ef

  • SSDEEP

    24576:pA9PI47mMe3qTK/MYnyXXQ9cgAwFrDsRMzOFlB6WXg/jzKsleGu2bh:c2MYy6cqdDQSOFJg/jYwbh

Score
10/10
agentteslamodiloaderzgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.oripam.xyz
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    231Father@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 29 IoCs
  • ModiLoader, DBatLoader

    ModiLoader is a Delphi loader that misuses cloud services to download other malicious families.

    trojanmodiloader
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • ModiLoader Second Stage 1 IoCs
  • Creates new service(s) 1 TTPs
    persistence
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Script User-Agent 2 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 52 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3d0067132eaf46799e57c10223a025e001e82583b9972f1805b38de605fda98e.exe
    "C:\Users\Admin\AppData\Local\Temp\3d0067132eaf46799e57c10223a025e001e82583b9972f1805b38de605fda98e.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2820
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Public\Libraries\NzmctogkO.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2228
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
        3⤵
          PID:3436
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c mkdir "\\?\C:\Windows "
          3⤵
            PID:884
          • C:\Windows\SysWOW64\xcopy.exe
            xcopy "easinvoker.exe" "C:\Windows \System32\" /K /D /H /Y
            3⤵
            • Enumerates system info in registry
            PID:1796
          • C:\Windows \System32\easinvoker.exe
            "C:\\Windows \\System32\\easinvoker.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3780
          • C:\Windows\SysWOW64\xcopy.exe
            xcopy "x.bat" "C:\Windows \System32\" /K /D /H /Y
            3⤵
            • Enumerates system info in registry
            PID:3844
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
            3⤵
              PID:2208
            • C:\Windows\SysWOW64\xcopy.exe
              xcopy "KDECO.bat" "C:\Windows \System32\" /K /D /H /Y
              3⤵
              • Enumerates system info in registry
              PID:4044
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
              3⤵
                PID:3636
              • C:\Windows\SysWOW64\xcopy.exe
                xcopy "netutils.dll" "C:\Windows \System32\" /K /D /H /Y
                3⤵
                • Enumerates system info in registry
                PID:2112
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /S /D /c" ECHO F"
                3⤵
                  PID:2856
              • C:\Windows\SysWOW64\cmd.exe
                cmd /c "C:\\Windows \\System32\\easinvoker.exe"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4444
                • C:\Windows \System32\easinvoker.exe
                  "C:\\Windows \\System32\\easinvoker.exe"
                  3⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  PID:2596
              • C:\Users\Public\Libraries\kgotcmzN.pif
                C:\Users\Public\Libraries\kgotcmzN.pif
                2⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:4520
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c ""C:\windows \system32\KDECO.bat""
              1⤵
              • Suspicious use of WriteProcessMemory
              PID:4704
              • C:\Windows\system32\sc.exe
                sc.exe create truesight binPath="C:\Users\Public\Libraries\truesight.sys" type=kernel
                2⤵
                • Launches sc.exe
                PID:1628
              • C:\Windows\system32\sc.exe
                sc.exe start truesight
                2⤵
                • Launches sc.exe
                PID:1852
              • C:\Windows\system32\cmd.exe
                cmd /c powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:4176
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath 'C:\Users'"
              1⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:2984

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5xyx2uce.aub.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Public\Libraries\NzmctogkO.bat
              Filesize

              404B

              MD5

              6880148d6cd8fabdce94b7e91dbd8d17

              SHA1

              870e9ad13355a8452746e0904d004ee8c8ec66e5

              SHA256

              0bfe311ffb1de96cbb2616c2a59c2a1a4942ec03073cc2ddfdfc43f79c74d18a

              SHA512

              810ee2896597cbcf813b9285bb2d7f9127360a4d8a872c47460d32710fe114c27ed58f840dc8bcfdaf7b826e7e46c78c0e814e4fa3d380d10737673a1febf38e

              Download Submit

            • C:\Users\Public\Libraries\kgotcmzN.pif
              Filesize

              171KB

              MD5

              22331abcc9472cc9dc6f37faf333aa2c

              SHA1

              2a001c30ba79a19ceaf6a09c3567c70311760aa4

              SHA256

              bdfa725ec2a2c8ea5861d9b4c2f608e631a183fca7916c1e07a28b656cc8ec0c

              SHA512

              c7f5baad732424b975a426867d3d8b5424aa830aa172ed0ff0ef630070bf2b4213750e123a36d8c5a741e22d3999ca1d7e77c62d4b77d6295b20a38114b7843c

              Download Submit

            • C:\Users\Public\Libraries\kgotcmzN.pif
              Filesize

              128KB

              MD5

              6c2e15bcb8c8daa3b79b0a1e0d868316

              SHA1

              3fed8a00f51d2bb719e15da9589bf20c047fe811

              SHA256

              23668dc45f9b600c26d4a8a9a5888428ebdb29c0040146a3630b1ea4cee9b692

              SHA512

              0ac45340782fe108979cac3aa2f9bedd74ba134b931edddcec336479076783d697adf21962529be9d207d120fbd134f8b9cb90475e4aed1f37444d707adec4b7

              Download Submit

            • C:\Windows \System32\easinvoker.exe
              Filesize

              128KB

              MD5

              231ce1e1d7d98b44371ffff407d68b59

              SHA1

              25510d0f6353dbf0c9f72fc880de7585e34b28ff

              SHA256

              30951db8bfc21640645aa9144cfeaa294bb7c6980ef236d28552b6f4f3f92a96

              SHA512

              520887b01bda96b7c4f91b9330a5c03a12f7c7f266d4359432e7bacc76b0eef377c05a4361f8fa80ad0b94b5865699d747a5d94a2d3dcdb85dabf5887bb6c612

              Download Submit

            • C:\Windows \System32\easinvoker.exe
              Filesize

              92KB

              MD5

              614813576f86ac7fae2fa80804014fb7

              SHA1

              c9d89a5f6d926ce5ad20275bf7fe242ff53efed6

              SHA256

              b269435f39a22be17d0af173348cab52965ec3cee8ed0ec52434ba3007809ee8

              SHA512

              9653ebdcdedeb6b23347028f7a46ca53d78efcd514f98d0efe826ac42b92578a17ccc145fdb3a1a71d726af62f05f4f6e0473341ee3bafaf605aa58aaba8b5cb

              Download Submit

            • C:\Windows \System32\netutils.dll
              Filesize

              114KB

              MD5

              1a2d83c73343d26f40a50fe2fe2f3e99

              SHA1

              cce1c460b809c39f3be25d3e9b57bb5a1584923b

              SHA256

              e2a595076d88ab6a210c395a75a78409e0e4f51cd13f0e10ad1b8c153b4e90d7

              SHA512

              26fffe2a5543f92f2a04996436343b82f99f1cec6e7e6b7b6c40f888d65951c61cb31318bcb3e5af6bd624960069bfb732e31c9ab70da462e1548daaa1ac1734

              Download Submit

            • C:\windows \system32\KDECO.bat
              Filesize

              271B

              MD5

              d62b11dc4dc821ef23260e5b0e74a835

              SHA1

              cdff2004cb9ef149f75fae296f50f4fbfefb2e84

              SHA256

              d1b19b878a3ae98f650843314cc3ef8d681013f6e18e0201cb47a0afa45fc349

              SHA512

              27b8292eb318413b965e1c7552165e65f9003d03b15ddc0c5c142420a1a174303f983c268942d7b60c74ac4e8e79e01f83510807fc0c492cabdf4948bc69c625

              Download Submit

            • memory/2596-56-0x00000000613C0000-0x00000000613E2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2820-4-0x0000000000400000-0x000000000059D000-memory.dmp

              Filesize

              1.6MB

              Download

            • memory/2820-0-0x00000000024A0000-0x00000000024A1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2820-2-0x0000000002A00000-0x0000000003A00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/2820-1-0x0000000002A00000-0x0000000003A00000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/2984-41-0x0000015F279C0000-0x0000015F279D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2984-40-0x0000015F27920000-0x0000015F27942000-memory.dmp

              Filesize

              136KB

              Download

            • memory/2984-39-0x0000015F279C0000-0x0000015F279D0000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2984-38-0x00007FFF91F40000-0x00007FFF92A01000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/2984-44-0x00007FFF91F40000-0x00007FFF92A01000-memory.dmp

              Filesize

              10.8MB

              Download

            • memory/3780-27-0x00000000613C0000-0x00000000613E2000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4520-72-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-94-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-57-0x0000000031D50000-0x0000000031DA4000-memory.dmp

              Filesize

              336KB

              Download

            • memory/4520-51-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4520-58-0x0000000034690000-0x0000000034C34000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4520-59-0x0000000031FA0000-0x0000000031FF2000-memory.dmp

              Filesize

              328KB

              Download

            • memory/4520-60-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-63-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-61-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-65-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-67-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-69-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4520-70-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-48-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4520-74-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-76-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-78-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-80-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-82-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-84-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-86-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-88-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-90-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-52-0x0000000000400000-0x0000000001400000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/4520-98-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-102-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-104-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-106-0x0000000074BC0000-0x0000000075370000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4520-108-0x0000000034680000-0x0000000034690000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4520-110-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-107-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-116-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-114-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-112-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-100-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-96-0x0000000031FA0000-0x0000000031FED000-memory.dmp

              Filesize

              308KB

              Download

            • memory/4520-93-0x0000000034680000-0x0000000034690000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4520-91-0x0000000034680000-0x0000000034690000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4520-1095-0x00000000345C0000-0x0000000034626000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4520-1096-0x0000000034680000-0x0000000034690000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4520-1097-0x0000000035290000-0x00000000352E0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/4520-1098-0x0000000035330000-0x00000000353CC000-memory.dmp

              Filesize

              624KB

              Download

            • memory/4520-1099-0x0000000035910000-0x00000000359A2000-memory.dmp

              Filesize

              584KB

              Download

            • memory/4520-1100-0x0000000035B00000-0x0000000035B0A000-memory.dmp

              Filesize

              40KB

              Download

            • memory/4520-1103-0x0000000034680000-0x0000000034690000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4520-1105-0x0000000034680000-0x0000000034690000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4520-1104-0x0000000074BC0000-0x0000000075370000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4520-1106-0x0000000034680000-0x0000000034690000-memory.dmp

              Filesize

              64KB

              Download