Overview

overview

10

Static

static

3

ab182aba54...f8.exe

windows7-x64

10

ab182aba54...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-05-2024 01:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab182aba5412399f9e5f505bb3d8d145458fb108473fafbdbed740eae40738f8.exe

  • Size

    628KB

  • MD5

    b7649e5cb8035e0d62e3275244bc0c21

  • SHA1

    d39f5c06a58a53002cce5db542a70a7ceba843b7

  • SHA256

    ab182aba5412399f9e5f505bb3d8d145458fb108473fafbdbed740eae40738f8

  • SHA512

    610432d57c326de6fbb3f9d0bbdb8023e556f2cda2f7b011d7ca5d9e5c2f308c8d9665aa9cd075f071c0f8916b8dbd10172ab2b02be477dea4fb27f09c7decc3

  • SSDEEP

    12288:U++oXh1udZSqk9nk3kJQZsOcnSpDahm/GRkLB1wR2wveenfRCFFUems8iDguPB:7Xh1eZNktakJQZyAec4g62qfRCFFpkKh

Score
10/10
agentteslaevasionexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.brusln.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Countrycode@2024

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables packed with or use KoiVM 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab182aba5412399f9e5f505bb3d8d145458fb108473fafbdbed740eae40738f8.exe
    "C:\Users\Admin\AppData\Local\Temp\ab182aba5412399f9e5f505bb3d8d145458fb108473fafbdbed740eae40738f8.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ab182aba5412399f9e5f505bb3d8d145458fb108473fafbdbed740eae40738f8.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2504
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:3440
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        2⤵
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4692
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
        2⤵
          PID:1652

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      5
      T1112

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Unsecured Credentials

      4
      T1552

      Credentials In Files

      3
      T1552.001

      Credentials in Registry

      1
      T1552.002

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      5
      T1012

      System Information Discovery

      5
      T1082

      Virtualization/Sandbox Evasion

      2
      T1497

      Lateral Movement

      Collection

      Data from Local System

      4
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f1ilpeim.0pl.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1112-1-0x00007FFFFD8A3000-0x00007FFFFD8A5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1112-0-0x000002BD530D0000-0x000002BD530E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1112-2-0x000002BD6D500000-0x000002BD6D576000-memory.dmp

        Filesize

        472KB

        Download

      • memory/1112-3-0x000002BD534A0000-0x000002BD534BE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/1112-4-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1112-5-0x000002BD53480000-0x000002BD53486000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1112-6-0x000002BD6D750000-0x000002BD6D7E6000-memory.dmp

        Filesize

        600KB

        Download

      • memory/1112-26-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2504-18-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2504-17-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2504-19-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2504-24-0x00007FFFFD8A0000-0x00007FFFFE361000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/2504-16-0x00000201DD390000-0x00000201DD3B2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4692-20-0x0000000000400000-0x0000000000444000-memory.dmp

        Filesize

        272KB

        Download

      • memory/4692-23-0x00000000057B0000-0x0000000005D54000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4692-25-0x0000000005380000-0x00000000053E6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4692-28-0x0000000006660000-0x00000000066B0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4692-29-0x0000000006750000-0x00000000067EC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4692-30-0x0000000006890000-0x0000000006922000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4692-31-0x0000000006860000-0x000000000686A000-memory.dmp

        Filesize

        40KB

        Download