Overview

overview

10

Static

static

10

3384-4910-...ry.exe

windows7-x64

10

3384-4910-...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    128s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    17-05-2024 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3384-4910-0x0000000000400000-0x000000000044B000-memory.exe

  • Size

    300KB

  • MD5

    89f413212bcb3c3eb5a5d496bf33c812

  • SHA1

    319e057de2b5fc74f5d40507d314e005de2cab35

  • SHA256

    375829ac1424371c42781a040e71774597f1e2da3b10df0f0937479da24f4241

  • SHA512

    af92e2f1a941ff3560b56de8fde953a9bfcf80c606f12cf2683b32dfc64015cc82cc52c05234dbf9d3803ec7332044b9b4741f2c1a04c7f15fcdf4679f5277a4

  • SSDEEP

    6144:cl+xRRRRp3EagaSHorWtWTmFduCNXaKluwhOq3bjBZYl:9xRRRRp3LgaSHorWtWCuCNZ3BZYl

Score
10/10
agentteslaasyncratapril3rd2024keyloggerratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

asyncrat

Version

0.5.7B

Botnet

April3rd2024

C2

94.156.65.181:3434

Mutex

A234sdgrgMutex_6SI8OkPnk

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

    ratasyncrat
  • Async RAT payload 1 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3384-4910-0x0000000000400000-0x000000000044B000-memory.exe
    "C:\Users\Admin\AppData\Local\Temp\3384-4910-0x0000000000400000-0x000000000044B000-memory.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2716
    • C:\Users\Admin\AppData\Local\Temp\FB_16CB.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_16CB.tmp.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3016
    • C:\Users\Admin\AppData\Local\Temp\FB_1768.tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\FB_1768.tmp.exe"
      2⤵
      • Executes dropped EXE
      PID:2136

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\FB_16CB.tmp.exe
    Filesize

    237KB

    MD5

    8c4c985b5719d0acadafb2cc03f0e86e

    SHA1

    0e0644087a29575b5c4a1d3b76a79cf95c577d7b

    SHA256

    a2007da837ca22cd0e894946f9ce20a3352ac42c34c5930c159730ea4538e79b

    SHA512

    8255101de0ed591128c5d093cd683193a24f5044fc297e6e51ae58714b121164b480c9868c477c24d653a231dc17db4c5f78de9ccc084e14133cc95e14e6219c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\FB_1768.tmp.exe
    Filesize

    45KB

    MD5

    ac190c9e687b2c110354d3809d32a57d

    SHA1

    3fdfeca134e469f6ac42e03b3d39359313fb36fc

    SHA256

    6c0291916555438da7d3705991100d295d480ae58b98147a4d83fbd3cfb8dc19

    SHA512

    161ae735acf5b60c6c906c1b0223838987a24cbb410623af2495b31e2e663561a6ecf1ad5f08956a6fb2134ebd32aaaa1573bae7e1c4abdfb7fb0ca8b2a9ecb5

    Download Submit

  • memory/2136-15-0x0000000000C80000-0x0000000000C92000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2136-17-0x0000000073930000-0x000000007401E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2136-20-0x0000000073930000-0x000000007401E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3016-14-0x000000007393E000-0x000000007393F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3016-16-0x0000000000C50000-0x0000000000C92000-memory.dmp

    Filesize

    264KB

    Download

  • memory/3016-18-0x0000000073930000-0x000000007401E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3016-19-0x000000007393E000-0x000000007393F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3016-21-0x0000000073930000-0x000000007401E000-memory.dmp

    Filesize

    6.9MB

    Download