Overview

overview

10

Static

static

3

Dark.exe

windows10-1703-x64

10

Dark.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    11s
  • max time network
    13s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    29/08/2024, 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dark.exe

  • Size

    2.2MB

  • MD5

    b0c952e0a98835d76da62b3bd4cb7828

  • SHA1

    eb7fb06d56bdf35a8d253debf56b4fad947d5505

  • SHA256

    f722a7285a79f697284d7e376ea3122398c84be2a13eed2b2470ff03d752faad

  • SHA512

    26b1654de14667ed5181e136cf70394f280c85758782e28fae86675e93466602f7fdd3d8c1efd0b4a70bb9ddc8be4e527e45797c433067935062c64465245d7c

  • SSDEEP

    49152:/0X0AsmM6YOcXExsPq2QdGcrkEhsuC06aGHYxKGOoz:/tAsmy/y90V8oHlZ

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dark.exe
    "C:\Users\Admin\AppData\Local\Temp\Dark.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Local\Temp\Com.exe
      "C:\Users\Admin\AppData\Local\Temp\Com.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:3636
      • C:\Windows\system32\cmd.exe
        /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\system32\reg.exe
          reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
          4⤵
            PID:1536
        • C:\Windows\system32\cmd.exe
          /c reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\414776.vbs" /f & reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1168
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /ve /t REG_SZ /d "wscript.exe C:\Users\Admin\AppData\Local\Temp\414776.vbs" /f
            4⤵
            • Modifies registry class
            PID:3796
          • C:\Windows\system32\reg.exe
            reg add "HKEY_CURRENT_USER\Software\Classes\ms-settings\Shell\Open\command" /v DelegateExecute /t REG_SZ /d "" /f
            4⤵
            • Modifies registry class
            PID:528
        • C:\Windows\system32\cmd.exe
          /c start /B ComputerDefaults.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Windows\system32\ComputerDefaults.exe
            ComputerDefaults.exe
            4⤵
              PID:4404
          • C:\Windows\system32\cmd.exe
            /c del /f C:\Users\Admin\AppData\Local\Temp\414776.vbs
            3⤵
              PID:3780
            • C:\Windows\system32\cmd.exe
              /c reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:4152
              • C:\Windows\system32\reg.exe
                reg delete "HKEY_CURRENT_USER\Software\Classes\ms-settings" /f
                4⤵
                • Modifies registry class
                PID:432
          • C:\Users\Admin\AppData\Local\Temp\DarkWare.exe
            "C:\Users\Admin\AppData\Local\Temp\DarkWare.exe"
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Enumerates system info in registry
            • Suspicious use of AdjustPrivilegeToken
            PID:220

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\414776.vbs
          Filesize

          125B

          MD5

          8b4ed5c47fdddbeba260ef11cfca88c6

          SHA1

          868f11f8ed78ebe871f9da182d053f349834b017

          SHA256

          170226b93ac03ac3178c0429577626add00665e1d71be650a4c46674f6e262a5

          SHA512

          87e5bcaa143e616c365557f5af73e131a10eb380016633b8c7e38c83b0a216a8f6768cfa0166fad208d47830808444517e57d07d850ff2bd575ca67bad9eabdf

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Com.exe
          Filesize

          230KB

          MD5

          f08723bcb5c94651b8df18a3ad027460

          SHA1

          e9f855543aab8f383a34d6a738889034daa6b5a3

          SHA256

          b8ca9e14e7adaa62220329b33138336146a2b3188215fcbd38365efc2f756460

          SHA512

          3f647c85345e08d533d15a3fab7394da3caff2b4fdbaaa83946321312f3f17d5cba018309d4b2206f083f9fd90f568c27399932c2ae5ae79200a05d6dd0da589

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\DarkWare.exe
          Filesize

          2.0MB

          MD5

          20f94ee7f660352e0c8a14810a183350

          SHA1

          1a39916394380b3ba2fba53249fa82ffc88e2876

          SHA256

          7f14473c3d2bc352e829f2c15754cf8a41f43bbadd9413b5765c65913660a922

          SHA512

          c1c4933d81234507cad12a524426e69096f28f710e61ad1a0cdb011567c6ca9b67bf24e2f74d87d1df8d7462de08add33bdbb0d4628efd4d55f6fe0bac96125e

          Download Submit

        • memory/220-40-0x0000000004FF0000-0x0000000005000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/220-22-0x0000000004FF0000-0x0000000005000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/220-25-0x00000000063B0000-0x00000000063BA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/220-15-0x0000000073A0E000-0x0000000073A0F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/220-24-0x0000000006070000-0x0000000006282000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/220-17-0x0000000000500000-0x0000000000700000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/220-18-0x0000000002B00000-0x0000000002B12000-memory.dmp

          Filesize

          72KB

          Download

        • memory/220-19-0x0000000005540000-0x0000000005A3E000-memory.dmp

          Filesize

          5.0MB

          Download

        • memory/220-20-0x0000000004F50000-0x0000000004FE2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/220-23-0x0000000005DC0000-0x0000000005DFE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/2828-0-0x00007FFA7ECD3000-0x00007FFA7ECD4000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2828-1-0x0000000000540000-0x000000000077A000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/2828-16-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/2828-3-0x00007FFA7ECD0000-0x00007FFA7F6BC000-memory.dmp

          Filesize

          9.9MB

          Download

        • memory/3636-8-0x0000028A2D310000-0x0000028A2D311000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3636-21-0x0000028A2D320000-0x0000028A2D321000-memory.dmp

          Filesize

          4KB

          Download