Overview

overview

10

Static

static

1

CMLite.exe

windows7-x64

10

CMLite.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    CMLite.exe

  • Size

    2.3MB

  • Sample

    240510-ywdftsfb5v

  • MD5

    616a65eb66de1b0218401d55bc36e8b8

  • SHA1

    3c61c3844590cdffe11218fb8f5bb13a5555d52e

  • SHA256

    35bbb997958723a543c906b2c014da4e73d28b935260a58a46c5c09d2920bb89

  • SHA512

    c77ace0d3a8a9dfb5d18e5099b2afef1ad5bc0add6a947fcf1efc8c32be2f8ccab7405bccc8f7514b4f2a884a4c01969e097bf87e724b60effca333628e03004

  • SSDEEP

    49152:C3Iq8lWFDP5E73BgWmU2p77Qqs10y3SryMqf:CMeDPYCWmn5QfbSryMqf

Score
10/10
agentteslazgratevasionexecutionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Targets

    • Target

      CMLite.exe

    • Size

      2.3MB

    • MD5

      616a65eb66de1b0218401d55bc36e8b8

    • SHA1

      3c61c3844590cdffe11218fb8f5bb13a5555d52e

    • SHA256

      35bbb997958723a543c906b2c014da4e73d28b935260a58a46c5c09d2920bb89

    • SHA512

      c77ace0d3a8a9dfb5d18e5099b2afef1ad5bc0add6a947fcf1efc8c32be2f8ccab7405bccc8f7514b4f2a884a4c01969e097bf87e724b60effca333628e03004

    • SSDEEP

      49152:C3Iq8lWFDP5E73BgWmU2p77Qqs10y3SryMqf:CMeDPYCWmn5QfbSryMqf

    Score
    10/10
    agentteslazgratevasionexecutionkeyloggerpersistenceratspywarestealertrojan

    • AgentTesla

      Agent Tesla is a remote access tool (RAT) written in visual basic.

      keyloggertrojanstealerspywareagenttesla

    • Detect ZGRat V1

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • AgentTesla payload

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Drops file in System32 directory

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks