Overview

overview

10

Static

static

3

kYyBuIFRcL6U7Fl.exe

windows7-x64

10

kYyBuIFRcL6U7Fl.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2024 02:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kYyBuIFRcL6U7Fl.exe

  • Size

    604KB

  • MD5

    dc6c813e0b5c0adab63e8f6e47d3fb76

  • SHA1

    c9979e87cf35d8563a16bf52ad762c04c89badc9

  • SHA256

    3d6012eb13b5a891571ea2d7c7bf120b9c12d479e5cb2c6ffc7e515e14c46866

  • SHA512

    c3e83b275c6aedbf56fe581b6e5f5b7f9ec33573c460eca63590a33326c08378dd7ea04b1d80807fdfc74738d432adb9b37892a0655aff8611d2e30f4d9f9ef3

  • SSDEEP

    12288:z+E26ddIYd1x66+9GreDc4bRbOpPE6/5kqRQeB0QzauW2a5W:aOwO1mQreDc4lypPp+kQelzauWS

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables packed with SmartAssembly 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe
    "C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3932
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UoqhCzdpcgs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UoqhCzdpcgs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6060.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4468
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    c944ad5829b07518c78222ab37d31960

    SHA1

    1fc8d206dc9905b3d6fc6a2a7933b1ea20c8b8bc

    SHA256

    f0fdffbb99d28cb336a96c76c02bc1c89cecb7d1fb1c3400a00cf3a90c62ff86

    SHA512

    9ba7afca4666c9e2cedfec6b41f672db96cb3042ec1bae986109374e8444d784e47429e8234811ab650d805dbeebc7679390425800f95985cfa3e8b7c8d0fc03

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3opmw1bn.vwh.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp6060.tmp
    Filesize

    1KB

    MD5

    3fb7d6aeef5b2a0672d3e996050ae6b1

    SHA1

    3833b36fa8da4c618a8f621ce9ce2cfd8023d42c

    SHA256

    97652b52759cb9c57eb943ad5861d99617c5a76e75895dbda7b6dff41494844f

    SHA512

    556af4ecb4751d566ed827a2d5f9b6de00285541257ec4d8843fdefd7aa89c9ade54b59aad2497e69c96da27ad181dd637ec0f96ff5db70283e1a9b2c8332b2e

    Download Submit
  • memory/1960-18-0x0000000005140000-0x0000000005150000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1960-19-0x0000000005140000-0x0000000005150000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1960-65-0x0000000006BD0000-0x0000000006BEE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1960-66-0x0000000005140000-0x0000000005150000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1960-53-0x0000000075570000-0x00000000755BC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1960-80-0x00000000079A0000-0x00000000079AA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1960-93-0x0000000074D10000-0x00000000754C0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1960-81-0x0000000007BB0000-0x0000000007C46000-memory.dmp
    Filesize

    600KB

    Download
  • memory/1960-22-0x0000000005DB0000-0x0000000005E16000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1960-86-0x0000000007C50000-0x0000000007C58000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1960-54-0x000000007F060000-0x000000007F070000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1960-24-0x0000000005F90000-0x0000000005FF6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1960-23-0x0000000074D10000-0x00000000754C0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3412-2-0x0000000005990000-0x0000000005F34000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3412-5-0x00000000053A0000-0x00000000053AA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3412-3-0x00000000053E0000-0x0000000005472000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3412-4-0x00000000055B0000-0x00000000055C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3412-1-0x0000000074D10000-0x00000000754C0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3412-9-0x0000000009070000-0x000000000910C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3412-8-0x0000000006900000-0x0000000006982000-memory.dmp
    Filesize

    520KB

    Download
  • memory/3412-7-0x00000000058D0000-0x00000000058DC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/3412-48-0x0000000074D10000-0x00000000754C0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3412-6-0x0000000005720000-0x0000000005732000-memory.dmp
    Filesize

    72KB

    Download
  • memory/3412-0-0x0000000000A60000-0x0000000000AFE000-memory.dmp
    Filesize

    632KB

    Download
  • memory/3932-49-0x0000000005B20000-0x0000000005B3E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3932-21-0x00000000053C0000-0x00000000053E2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3932-14-0x00000000045A0000-0x00000000045D6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3932-55-0x0000000075570000-0x00000000755BC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3932-92-0x0000000074D10000-0x00000000754C0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3932-52-0x0000000006AE0000-0x0000000006B12000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3932-16-0x0000000004C20000-0x0000000005248000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/3932-51-0x000000007F1D0000-0x000000007F1E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3932-77-0x00000000045E0000-0x00000000045F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3932-76-0x0000000006D20000-0x0000000006DC3000-memory.dmp
    Filesize

    652KB

    Download
  • memory/3932-78-0x00000000074C0000-0x0000000007B3A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/3932-79-0x0000000006E70000-0x0000000006E8A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3932-35-0x00000000056C0000-0x0000000005A14000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/3932-50-0x0000000005B50000-0x0000000005B9C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3932-82-0x0000000007070000-0x0000000007081000-memory.dmp
    Filesize

    68KB

    Download
  • memory/3932-83-0x00000000070A0000-0x00000000070AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3932-84-0x00000000070B0000-0x00000000070C4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3932-85-0x00000000071B0000-0x00000000071CA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3932-17-0x00000000045E0000-0x00000000045F0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3932-15-0x0000000074D10000-0x00000000754C0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4880-34-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/4880-45-0x0000000074D10000-0x00000000754C0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4880-47-0x0000000005640000-0x0000000005650000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4880-94-0x0000000006AB0000-0x0000000006B00000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4880-95-0x0000000074D10000-0x00000000754C0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4880-96-0x0000000005640000-0x0000000005650000-memory.dmp
    Filesize

    64KB

    Download