Overview

overview

10

Static

static

3

DkJr5Ana0qQ1M3U.exe

windows7-x64

10

DkJr5Ana0qQ1M3U.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    98s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DkJr5Ana0qQ1M3U.exe

  • Size

    844KB

  • MD5

    1449687555ad3c34204cbb9dc286603a

  • SHA1

    e43f55d0e375853f27c9786193d7614289c7f7b6

  • SHA256

    14ce526032b5ba32eee02d91119ed9fe15b9590b18a359d04627e1e97d7a6e86

  • SHA512

    d848e98b6031a1d092e9652fed86f4346fcad44d6c5a68bf9776a02f373047f01b72a7b7fd5004950c1f458a2607659cc3415d837e6e7650387bd3909925da76

  • SSDEEP

    12288:sWx504bFtx504bFWxmiuHPRNaQZiZ5hfPBTdPl5yyuQCUGWcfPFkwV8fFX37a:Jw4bjw4bquH5N125TAPQsXFkhn7

Score
10/10
agentteslaexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.airfilterstechnologies.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    #airfilterstechnologies

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DkJr5Ana0qQ1M3U.exe
    "C:\Users\Admin\AppData\Local\Temp\DkJr5Ana0qQ1M3U.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3168
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DkJr5Ana0qQ1M3U.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1844
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uLhLhiEXSD.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2236
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uLhLhiEXSD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp81B3.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    f6e65e2611d759d9df6e2ebf95bcfad0

    SHA1

    337107626fe83109a9f196da4f71f42657f92969

    SHA256

    cf2d74bb6a96c8528ef2511cac92fe3b3563905c779983e53f3e26908cb7d8ca

    SHA512

    e8f39d5a4f29c7d83b49fd2db39032299cde9b758f602bd8689a14ac4c796a90fc34b43410ccb7b6a5c708af839387e5df7109ae7e5317f8d9ee8151b4aace42

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nwnvbufv.dw5.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp81B3.tmp
    Filesize

    1KB

    MD5

    89f5d860810213c4ae7ef84fe0bd7408

    SHA1

    9d3428935d173394ede54d62e236533de8e9fbd3

    SHA256

    17e51ef0c4400720a6d7eb740a229b915456f1513fd3c91315b244af546f2ebf

    SHA512

    168620f980f1b41868f7046ac3753727df5a6b26a5a24de906e51be31216e0c943fee2f2532468832930b540f608ad405d56a6741753b5e2342903f801cedd8c

    Download Submit
  • memory/1844-14-0x0000000002210000-0x0000000002246000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1844-17-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1844-76-0x0000000007080000-0x000000000708E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1844-70-0x0000000006D40000-0x0000000006DE3000-memory.dmp
    Filesize

    652KB

    Download
  • memory/1844-60-0x000000006F8A0000-0x000000006F8EC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1844-45-0x0000000005B30000-0x0000000005B4E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1844-78-0x0000000007190000-0x00000000071AA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1844-16-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1844-15-0x0000000004D90000-0x00000000053B8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1844-77-0x0000000007090000-0x00000000070A4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1844-87-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1844-47-0x0000000006090000-0x00000000060DC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1844-20-0x0000000004C70000-0x0000000004C92000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1844-23-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1844-24-0x00000000053C0000-0x0000000005714000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1844-22-0x00000000059F0000-0x0000000005A56000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1844-21-0x0000000004D10000-0x0000000004D76000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2236-46-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2236-79-0x0000000007BA0000-0x0000000007BA8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2236-86-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2236-40-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2236-19-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2236-75-0x0000000007A80000-0x0000000007A91000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2236-49-0x000000006F8A0000-0x000000006F8EC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2236-74-0x0000000007B00000-0x0000000007B96000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2236-73-0x0000000007900000-0x000000000790A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2236-59-0x0000000006B00000-0x0000000006B1E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2236-48-0x0000000007530000-0x0000000007562000-memory.dmp
    Filesize

    200KB

    Download
  • memory/2236-71-0x0000000007ED0000-0x000000000854A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2236-72-0x0000000007880000-0x000000000789A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3168-0-0x000000007486E000-0x000000007486F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-7-0x0000000005910000-0x000000000592A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3168-9-0x0000000005DD0000-0x0000000005E54000-memory.dmp
    Filesize

    528KB

    Download
  • memory/3168-6-0x0000000004EB0000-0x0000000004F4C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3168-5-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3168-4-0x0000000004C80000-0x0000000004C8A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3168-8-0x0000000004DF0000-0x0000000004E00000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3168-3-0x0000000004BC0000-0x0000000004C52000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3168-35-0x0000000005AE0000-0x0000000005B22000-memory.dmp
    Filesize

    264KB

    Download
  • memory/3168-1-0x0000000000100000-0x00000000001D6000-memory.dmp
    Filesize

    856KB

    Download
  • memory/3168-2-0x0000000005070000-0x0000000005614000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3168-88-0x0000000006D70000-0x0000000006DC0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3168-89-0x000000007486E000-0x000000007486F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3168-90-0x0000000074860000-0x0000000075010000-memory.dmp
    Filesize

    7.7MB

    Download