Overview

overview

10

Static

static

3

bb4f330ac5...0N.exe

windows7-x64

10

bb4f330ac5...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-08-2024 16:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bb4f330ac588f419d2734e8284ad2530N.exe

  • Size

    1.2MB

  • MD5

    bb4f330ac588f419d2734e8284ad2530

  • SHA1

    68643f78af5fb5e9c6871e8f996190b40c20e0bd

  • SHA256

    06dd93f166231acc6458a6dcdb2a7b2cfeaf4f97526c1dfc3e37c835ec7d3ed0

  • SHA512

    f9f18876f22d3b8993e7ef01914eb64019aeca6d62151b0d028dc1f6041d41498dbd09894f431779b0f3f2f7f391e811b23b85f5e3575df4f0a5125d5cb21e21

  • SSDEEP

    24576:zE/4rk9kQso6xohqsBJQZQi5m/Ur/4rZu3AssPjK1yCb4F5pHqLV3U:zEgw95l4ozJQSi5Jgg+Pjky/Fbq

Score
10/10
agentteslaredlinesectopratcetrycredential_accessdiscoveryexecutioninfostealerkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Extracted

Family

redline

Botnet

cetry

C2

204.14.75.2:16383

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bb4f330ac588f419d2734e8284ad2530N.exe
    "C:\Users\Admin\AppData\Local\Temp\bb4f330ac588f419d2734e8284ad2530N.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:852
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C wmic path win32_ComputerSystem get model
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2768
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_ComputerSystem get model
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1916
    • C:\Users\Admin\AppData\Local\Temp\AUEOUmaEUU\file.exe
      "C:\Users\Admin\AppData\Local\Temp\AUEOUmaEUU\file.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\AUEOUmaEUU\file.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1064
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KZWLRSmTfkoP.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3716
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KZWLRSmTfkoP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE67.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4940
      • C:\Users\Admin\AppData\Local\Temp\AUEOUmaEUU\file.exe
        "C:\Users\Admin\AppData\Local\Temp\AUEOUmaEUU\file.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:5080
    • C:\Users\Admin\AppData\Local\Temp\MsCTwsHccQqh\System.exe
      "C:\Users\Admin\AppData\Local\Temp\MsCTwsHccQqh\System.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4000
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MsCTwsHccQqh\System.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2404
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\qunOOlTEYv.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2512
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\qunOOlTEYv" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD68A.tmp"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:4456
      • C:\Users\Admin\AppData\Local\Temp\MsCTwsHccQqh\System.exe
        "C:\Users\Admin\AppData\Local\Temp\MsCTwsHccQqh\System.exe"
        3⤵
        • Executes dropped EXE
        PID:3320
      • C:\Users\Admin\AppData\Local\Temp\MsCTwsHccQqh\System.exe
        "C:\Users\Admin\AppData\Local\Temp\MsCTwsHccQqh\System.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:3080
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\bb4f330ac588f419d2734e8284ad2530N.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3796
      • C:\Windows\system32\timeout.exe
        TIMEOUT /T 3
        3⤵
        • Delays execution with timeout.exe
        PID:2352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log
    Filesize

    1KB

    MD5

    8ec831f3e3a3f77e4a7b9cd32b48384c

    SHA1

    d83f09fd87c5bd86e045873c231c14836e76a05c

    SHA256

    7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

    SHA512

    26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    08386a41af7f563fc56f695c490cf832

    SHA1

    21fa00fc796340cbb8c2f46b66484669264acd53

    SHA256

    d0285715af6b6357588258a80b2eec4de47ff670121adc5cd636e1e041a4e095

    SHA512

    2c20531fb316a1190bb05fcd205edbcbfe491d28a34a97e4515bdab0742c098aab3c1f94dc0844dcbd4c7086e4eb3d3a0bbea7e730214c252be034984b0245c2

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    2f18cab0a901b6b82cbc791c7ee13f7f

    SHA1

    185838a223a2405c08f8a3076add4dd18c52c10c

    SHA256

    0d9706f5c30e8662ee83475aa10fe4533911b379c2759046c1b607faa93c9c07

    SHA512

    a13087120b6113f01ba9004b986d0e228db539948bfa5701686c14336b9898a494366125a4d48f4f1d357d8f54e4bcba85a3f33fbd9aae5259a379f632363488

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\AUEOUmaEUU\file.exe
    Filesize

    536KB

    MD5

    eacc176a7d5e2ecb851d872fca56adce

    SHA1

    d9fa93fe2a5fecdfc9e496f098e486ecc8526ee5

    SHA256

    aae6656549ce1324e5bc08a36c0524187d4c06d82ae05c71d1481840306e666b

    SHA512

    9173a1f26af74515ce92fd993ae98089b2178e026e434da570852a9b4941759dd5ab1f25ba8979266e1751a32faa4e32bd275880c20fab4d5e73b6178abd1732

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\MsCTwsHccQqh\System.exe
    Filesize

    697KB

    MD5

    f74def3bfe7e320eaa41bc114a34c125

    SHA1

    460ccaf2f2f64ce3c851a384443f21adcd2b6880

    SHA256

    20593fe2c2402515d83befde3ee1521523f9cec459b39b014590299a713fe26d

    SHA512

    5721dfeaa8aa165591947c41f6f835de057b86e56ab7d057438b3e70fef7bd654bdc61fbae282da9d42e504ad2665ca6e48d87bda3ab80e8f30543808ea68929

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1tthlsrk.fvl.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpD68A.tmp
    Filesize

    1KB

    MD5

    7c8390ae88449aa44a6c5c4037388f11

    SHA1

    eaff1e6636343ac2b0ee39144961588461798475

    SHA256

    2794339fe194179dcd4dcea28ebfa7f0909bdb2ca091c8f1a17b415cfc30c1da

    SHA512

    ea4fb33703286da5cff85cc90e6809243aa3708078d1ada43e9c7831de187e1919b980aafc01301f2510832fbd923ad24ae6a40a1ee5b461c0f59852d0384c90

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpEE67.tmp
    Filesize

    1KB

    MD5

    d7b3c8bc0e84afda928c7eb11aa236dc

    SHA1

    453b4409f1172237266f8eb768bee1c537124ee9

    SHA256

    3dd20763c20f6b9012653d31f7cbf217423262ee41c3e279baa1956299aab2f9

    SHA512

    cd3d421113013a1eb2d35bdb8655ab0ab7ed0e7faca9f87f4d59cae16fc4c04180a5b8f9a5e348a6dd06cf23da44ace39110eb1704971ba629c39e410c3e55a4

    Download Submit
  • memory/852-1-0x0000000000B20000-0x0000000000C5C000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/852-0-0x00007FFB5CC93000-0x00007FFB5CC95000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1064-153-0x0000000007990000-0x0000000007A33000-memory.dmp
    Filesize

    652KB

    Download
  • memory/1064-141-0x00000000067B0000-0x00000000067FC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1064-123-0x0000000006230000-0x0000000006584000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1064-143-0x0000000075710000-0x000000007575C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2208-35-0x0000000005C50000-0x0000000005CB0000-memory.dmp
    Filesize

    384KB

    Download
  • memory/2208-37-0x0000000008940000-0x00000000089DC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2208-27-0x0000000000D90000-0x0000000000E1C000-memory.dmp
    Filesize

    560KB

    Download
  • memory/2208-32-0x0000000005850000-0x0000000005862000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2208-29-0x0000000005D70000-0x0000000006314000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2404-103-0x0000000007A40000-0x0000000007A5A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2404-47-0x0000000005680000-0x00000000056E6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2404-42-0x0000000002AF0000-0x0000000002B26000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2404-102-0x0000000007940000-0x0000000007954000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2404-100-0x0000000007900000-0x0000000007911000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2404-71-0x00000000063E0000-0x00000000063FE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2404-72-0x00000000069D0000-0x0000000006A1C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2404-75-0x0000000070440000-0x000000007048C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2404-98-0x0000000007770000-0x000000000777A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2512-73-0x00000000075C0000-0x00000000075F2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/2512-104-0x0000000007C60000-0x0000000007C68000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2512-95-0x0000000007800000-0x00000000078A3000-memory.dmp
    Filesize

    652KB

    Download
  • memory/2512-96-0x0000000007F80000-0x00000000085FA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2512-97-0x0000000007940000-0x000000000795A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2512-74-0x0000000070440000-0x000000007048C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2512-99-0x0000000007BC0000-0x0000000007C56000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2512-90-0x0000000007580000-0x000000000759E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2512-101-0x0000000007B70000-0x0000000007B7E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2512-58-0x0000000006020000-0x0000000006374000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2512-46-0x0000000005E40000-0x0000000005EA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2512-43-0x0000000005810000-0x0000000005E38000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2512-45-0x0000000005640000-0x0000000005662000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3080-108-0x0000000006CE0000-0x0000000006D30000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3080-68-0x0000000000400000-0x0000000000444000-memory.dmp
    Filesize

    272KB

    Download
  • memory/3716-165-0x0000000007580000-0x0000000007594000-memory.dmp
    Filesize

    80KB

    Download
  • memory/3716-164-0x0000000007540000-0x0000000007551000-memory.dmp
    Filesize

    68KB

    Download
  • memory/3716-154-0x0000000075710000-0x000000007575C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4000-30-0x0000000005090000-0x0000000005122000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4000-36-0x0000000005590000-0x0000000005616000-memory.dmp
    Filesize

    536KB

    Download
  • memory/4000-34-0x00000000052A0000-0x00000000052AE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/4000-28-0x00000000005E0000-0x0000000000694000-memory.dmp
    Filesize

    720KB

    Download
  • memory/4000-33-0x0000000005280000-0x000000000528A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4000-31-0x0000000005070000-0x000000000507A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/5080-124-0x0000000000400000-0x000000000041E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/5080-142-0x00000000050A0000-0x00000000051AA000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/5080-140-0x0000000004E00000-0x0000000004E3C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/5080-139-0x0000000004D50000-0x0000000004D62000-memory.dmp
    Filesize

    72KB

    Download
  • memory/5080-138-0x00000000053A0000-0x00000000059B8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/5080-169-0x00000000063C0000-0x0000000006582000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/5080-170-0x0000000006AC0000-0x0000000006FEC000-memory.dmp
    Filesize

    5.2MB

    Download