Overview

overview

10

Static

static

3

bb4f330ac5...0N.exe

windows7-x64

10

bb4f330ac5...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02-08-2024 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb4f330ac588f419d2734e8284ad2530N.exe

  • Size

    1.2MB

  • MD5

    bb4f330ac588f419d2734e8284ad2530

  • SHA1

    68643f78af5fb5e9c6871e8f996190b40c20e0bd

  • SHA256

    06dd93f166231acc6458a6dcdb2a7b2cfeaf4f97526c1dfc3e37c835ec7d3ed0

  • SHA512

    f9f18876f22d3b8993e7ef01914eb64019aeca6d62151b0d028dc1f6041d41498dbd09894f431779b0f3f2f7f391e811b23b85f5e3575df4f0a5125d5cb21e21

  • SSDEEP

    24576:zE/4rk9kQso6xohqsBJQZQi5m/Ur/4rZu3AssPjK1yCb4F5pHqLV3U:zEgw95l4ozJQSi5Jgg+Pjky/Fbq

Score
10/10
agentteslaredlinecredential_accessdiscoveryexecutioninfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Deletes itself 1 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb4f330ac588f419d2734e8284ad2530N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb4f330ac588f419d2734e8284ad2530N.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Windows\system32\cmd.exe
      "cmd" /C wmic path win32_ComputerSystem get model
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2196
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_ComputerSystem get model
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2784
    • C:\Users\Admin\AppData\Local\Temp\FFYVkUInrC\file.exe
      "C:\Users\Admin\AppData\Local\Temp\FFYVkUInrC\file.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2760
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FFYVkUInrC\file.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2288
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KZWLRSmTfkoP.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2232
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KZWLRSmTfkoP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A50.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:560
      • C:\Users\Admin\AppData\Local\Temp\FFYVkUInrC\file.exe
        "C:\Users\Admin\AppData\Local\Temp\FFYVkUInrC\file.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:768
    • C:\Users\Admin\AppData\Local\Temp\crsFrWClWRuY\System.exe
      "C:\Users\Admin\AppData\Local\Temp\crsFrWClWRuY\System.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\crsFrWClWRuY\System.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2504
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qunOOlTEYv.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2064
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qunOOlTEYv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp498E.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2704
      • C:\Users\Admin\AppData\Local\Temp\crsFrWClWRuY\System.exe
        "C:\Users\Admin\AppData\Local\Temp\crsFrWClWRuY\System.exe"
        3⤵
        • Executes dropped EXE
        PID:1216
      • C:\Users\Admin\AppData\Local\Temp\crsFrWClWRuY\System.exe
        "C:\Users\Admin\AppData\Local\Temp\crsFrWClWRuY\System.exe"
        3⤵
        • Executes dropped EXE
        PID:1348
      • C:\Users\Admin\AppData\Local\Temp\crsFrWClWRuY\System.exe
        "C:\Users\Admin\AppData\Local\Temp\crsFrWClWRuY\System.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3016
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\bb4f330ac588f419d2734e8284ad2530N.exe"
      2⤵
      • Deletes itself
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\system32\timeout.exe
        TIMEOUT /T 3
        3⤵
        • Delays execution with timeout.exe
        PID:2688

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\FFYVkUInrC\file.exe
    Filesize

    536KB

    MD5

    eacc176a7d5e2ecb851d872fca56adce

    SHA1

    d9fa93fe2a5fecdfc9e496f098e486ecc8526ee5

    SHA256

    aae6656549ce1324e5bc08a36c0524187d4c06d82ae05c71d1481840306e666b

    SHA512

    9173a1f26af74515ce92fd993ae98089b2178e026e434da570852a9b4941759dd5ab1f25ba8979266e1751a32faa4e32bd275880c20fab4d5e73b6178abd1732

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\crsFrWClWRuY\System.exe
    Filesize

    697KB

    MD5

    f74def3bfe7e320eaa41bc114a34c125

    SHA1

    460ccaf2f2f64ce3c851a384443f21adcd2b6880

    SHA256

    20593fe2c2402515d83befde3ee1521523f9cec459b39b014590299a713fe26d

    SHA512

    5721dfeaa8aa165591947c41f6f835de057b86e56ab7d057438b3e70fef7bd654bdc61fbae282da9d42e504ad2665ca6e48d87bda3ab80e8f30543808ea68929

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp498E.tmp
    Filesize

    1KB

    MD5

    3758bd8076add2d6053b6ac23d28704b

    SHA1

    0a387f66f80df497da0a721894d10aa325a72322

    SHA256

    4509edbeac530d0dd1b896a66fe2ec686a42ea35969cec972148485139436285

    SHA512

    1449a6edca0cc138c286e14113bb5b91b61aaebc5697f5ed9dd5e1db931da98e95cc4bf87d8b7cceb35700556e97c4f192677653c8061024314d9eed3acc1a29

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    9a5df853fb73768bfebca2f39b7c208f

    SHA1

    88c7951f71b5c1fd856d9a898dd692b6269d5ad2

    SHA256

    b04d8b91c237c39a2ca650c68e424df14848466f6edfdb0263b4eeedda20ae78

    SHA512

    ba355ce78bf361444c40d0dbebf02c15b9b2ac445184095b51c06aeae3eaccf9daf8ae06e6d83102cf78e72f1a5e103d6014bfa79fb5d8827ac617ac9b90abb3

    Download Submit
  • memory/776-26-0x0000000005160000-0x00000000051E6000-memory.dmp
    Filesize

    536KB

    Download
  • memory/776-20-0x00000000002F0000-0x00000000003A4000-memory.dmp
    Filesize

    720KB

    Download
  • memory/776-22-0x00000000003B0000-0x00000000003C2000-memory.dmp
    Filesize

    72KB

    Download
  • memory/776-23-0x00000000005B0000-0x00000000005BA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2760-21-0x0000000000F90000-0x000000000101C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/2760-25-0x0000000004700000-0x0000000004760000-memory.dmp
    Filesize

    384KB

    Download
  • memory/2760-24-0x0000000000540000-0x000000000054E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2928-0-0x000007FEF56C3000-0x000007FEF56C4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2928-1-0x0000000000EB0000-0x0000000000FEC000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/3016-53-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3016-55-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3016-57-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3016-52-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3016-50-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3016-48-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3016-46-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3016-44-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download