Overview

overview

10

Static

static

10

DESIGN LOGO.exe

windows7-x64

10

DESIGN LOGO.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-08-2024 01:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DESIGN LOGO.exe

  • Size

    355KB

  • MD5

    1dffa9d5b1d33095977375b1aecf4f2b

  • SHA1

    1e9172d8822d3477393db4f8c35aa0733eab7bf9

  • SHA256

    3bcc155f5bc7b6b5f5a4df83363b57e52ce7e8b88c2ed695023b057874b12849

  • SHA512

    66d0ccd7bca497a649fefaab0b5d5675eee49d546644334f5e41cda12705a7e65b6ef52cb449dcc7f95e85a3f6bd5926acb9df4d648b28d9a4e45f3b6bfdd710

  • SSDEEP

    6144:CbeI1OYuG0Lahya/QYMAsYL8wgs3tgbp9PkBqQ0IqQ5FgL:XeUeQYMAsYL8wgs9QpkqpIqQ

Score
10/10
agentteslaredlinesectopratnewlogscredential_accessdiscoveryinfostealerkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7390139954:AAFw-89dzufZnN9iQ-qMJ7xuGsXRrzvXAEI/

Extracted

Family

redline

Botnet

Newlogs

C2

204.14.75.2:16383

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DESIGN LOGO.exe
    "C:\Users\Admin\AppData\Local\Temp\DESIGN LOGO.exe"
    1⤵
    • Checks computer location settings
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1640
    • C:\Windows\SYSTEM32\cmd.exe
      "cmd" /C wmic path win32_ComputerSystem get model
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:524
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic path win32_ComputerSystem get model
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1480
    • C:\Users\Admin\AppData\Local\Temp\fQoAOEEdMG\file.exe
      "C:\Users\Admin\AppData\Local\Temp\fQoAOEEdMG\file.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1296
    • C:\Users\Admin\AppData\Local\Temp\ZHGdmiSOFrYu\file.exe
      "C:\Users\Admin\AppData\Local\Temp\ZHGdmiSOFrYu\file.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4492
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C TIMEOUT /T 3 && DEL /f "C:\Users\Admin\AppData\Local\Temp\DESIGN LOGO.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:5084
      • C:\Windows\system32\timeout.exe
        TIMEOUT /T 3
        3⤵
        • Delays execution with timeout.exe
        PID:2840

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ZHGdmiSOFrYu\file.exe
    Filesize

    247KB

    MD5

    e559e786f9fe168805fa606256d7e238

    SHA1

    1c650a57a2e2406d68b7e1c69aa091474c0e99df

    SHA256

    48bbbcfc4feb7b340f79fad4216adf7ac6b799a16f9c663784e0100ab44f8632

    SHA512

    0e968871776fc010d8a869634f984d58681cd5a6b1815a5f812829a86c55711fe66004c51f4155818f9c3f73a8d01cfd7d2b747a27432d70ae7f6f5a107abbab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fQoAOEEdMG\file.exe
    Filesize

    95KB

    MD5

    cfa3c4d3b63a5db265a3fdfea72f5dd5

    SHA1

    19da030053b3e32907fbf7cdc6641cfadbc9d1d7

    SHA256

    14266cc49018302498bbf452ae1311b3f86bb8544b8601227c90339d337f657f

    SHA512

    b57cf96df30583d6e2d4d091c4417323d6d70fa713e661f8ebaae2f127b25de71af652ed20a820b7c4906844cb5abd9a389dbc8a2d58d5e91860b1eb676c9657

    Download Submit
  • memory/1296-32-0x00000000057E0000-0x000000000581C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1296-27-0x0000000000EF0000-0x0000000000F0E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1296-30-0x0000000005E00000-0x0000000006418000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1296-31-0x0000000005770000-0x0000000005782000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1640-1-0x00007FFE86073000-0x00007FFE86075000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1640-0-0x0000000000950000-0x00000000009AE000-memory.dmp
    Filesize

    376KB

    Download
  • memory/4492-28-0x00000000000D0000-0x0000000000114000-memory.dmp
    Filesize

    272KB

    Download
  • memory/4492-29-0x0000000005050000-0x00000000055F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4492-33-0x0000000004C40000-0x0000000004CA6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4492-34-0x0000000006190000-0x00000000061E0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4492-35-0x0000000006280000-0x000000000631C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4492-36-0x0000000006600000-0x0000000006692000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4492-37-0x00000000065F0000-0x00000000065FA000-memory.dmp
    Filesize

    40KB

    Download