Overview

overview

10

Static

static

3

Sleettz Vi...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    96s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 15:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sleettz Virtualization.exe

  • Size

    2.0MB

  • MD5

    393a0f8a3bacd8ade71d1874fde3568e

  • SHA1

    9a56d4def655c0805714b32198000d0b177694da

  • SHA256

    85a8d0cee047255ca84d6f48058a553a783745b13196151c5dc34ade36599a0e

  • SHA512

    672ded8eaa8f1857c55b6cf6cdae1977c01a7538217fb3aecdc2f1339e94e2882495408772b6c935755c38165520c66850240f1302ba12d005945d8e354d48cb

  • SSDEEP

    49152:X1/wXVtR1NNZHNNNNNNNXv2N8FR1NNZHNNNNNNNXv2N8lITYbNbNWo4kSH3OqtwE:lwFtR1NNZHNNNNNNNXv2N8FR1NNZHNNQ

Score
10/10
agenttesladiscoveryevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 3 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 3 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 6 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe
    "C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3984
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3888
      • C:\Windows\SysWOW64\cmd.exe
        cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3600
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 5
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:3648
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:1344
    • C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe
      "C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5364
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:908
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:4504
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:1020
    • C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe
      "C:\Users\Admin\AppData\Local\Temp\Sleettz Virtualization.exe"
      1⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe" /c start cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4268
        • C:\Windows\SysWOW64\cmd.exe
          cmd /C "color b && title Error && echo You must run the function KeyAuthApp.init(); first && timeout /t 5"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2452
          • C:\Windows\SysWOW64\timeout.exe
            timeout /t 5
            4⤵
            • System Location Discovery: System Language Discovery
            • Delays execution with timeout.exe
            PID:3388

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\KeyAuth\debug\Sleettz Virtualization\Sep_05_2024_logs.txt
      Filesize

      357B

      MD5

      806e333a0eab7d500426c2d3596f1a6c

      SHA1

      e78a9ebcda5b1b913d46b84b205671f11fe21b49

      SHA256

      94dea894830a671136b1d1638b713ccec86df81eabcaa8c363e1a2b1aaa6f1a8

      SHA512

      cce334c77b37dadaacb85eb9d9010a3e3894b37ace34f9b35702cd7c81ba79120a4258036222888ae5543d0a4f2d61170f281332298656b56424f8aa3798410b

      Download Submit

    • C:\ProgramData\KeyAuth\debug\Sleettz Virtualization\Sep_05_2024_logs.txt
      Filesize

      476B

      MD5

      559fd446526463253797287e3153db74

      SHA1

      fb69dcdd1311121f8e3756202b84f132c7cf8f61

      SHA256

      f159c71b28f1de6bd327314f0b33dec8e9a36acafe1dc8c6d44f915ca388606c

      SHA512

      ed06e6dcc0ba32eaabc09cb29833f57fe64ddc6d73c39ef65f6b414abb9d665d73d7fbc5fe6907a48a7bc46c4f3b2ecd8c3b186bc69c6215d35d5c7d0421b6d4

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Sleettz Virtualization.exe.log
      Filesize

      1KB

      MD5

      34eb07a82ee50ca6baa787247463d761

      SHA1

      d0283c31a3d5fdd746f2a9134cf56ee71b6594b7

      SHA256

      870f5a3c36b2dc5ccecb039d7181b0e0eb86f457eca51b78c7939cc4855c8cf7

      SHA512

      2f734ced93cf384032a4166bd3db14bff0c043915ab382690cb3e3e825521aaf674e06869af212375f344481184d44b5d82a229a25fac21386d192b97e1ceef1

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Logs\ErrorLogs.txt
      Filesize

      148B

      MD5

      fd478a2f5fcca58a395af7d3a4f04c37

      SHA1

      32adde9591dcd234619aa35bc68379d95a445ac6

      SHA256

      9549ab59868dbbe8835e27a5163b4b7bc05fe50cc51d2fd012311401253a4f16

      SHA512

      ad22c1b474f140ea9b7754e75b881420b315b5243a04984165ab661059e28841287d3d2ce912f303ce59090bc4b02de1780d64065a7e7362284b2b8f01e98a9e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Logs\ErrorLogs.txt
      Filesize

      222B

      MD5

      c5921b32eb94b26582cf66c954c8dc43

      SHA1

      980c7e007f8ecd33bdcc8afb3c899c60d8e6030c

      SHA256

      2574f98bf939fa2a8aeed3a21d0dec0608290e479558ed5225f6bc1271e91ba0

      SHA512

      50324b53ff290cfc91bf7ddb612d2b38a7834b16ac8f76acbe144c6b08f420ecdfbdf644c1f9d5c53c00fbdb8d8aefb6de3cb7cf40d4797fd160897b9b6c66fd

      Download Submit

    • memory/1672-27-0x0000000009AE0000-0x0000000009E34000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3984-6-0x0000000005E00000-0x0000000005E12000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3984-17-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3984-8-0x00000000063D0000-0x00000000065E4000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/3984-9-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3984-10-0x0000000009390000-0x0000000009442000-memory.dmp

      Filesize

      712KB

      Download

    • memory/3984-11-0x00000000094B0000-0x00000000094D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3984-12-0x00000000094E0000-0x0000000009834000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/3984-14-0x00000000098A0000-0x00000000098DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3984-16-0x00000000746DE000-0x00000000746DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3984-7-0x0000000005E50000-0x0000000005E5A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3984-18-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3984-21-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3984-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3984-5-0x00000000746D0000-0x0000000074E80000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3984-4-0x0000000004F20000-0x0000000004F86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3984-3-0x0000000004E80000-0x0000000004F12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3984-2-0x0000000005390000-0x0000000005934000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3984-1-0x0000000000280000-0x0000000000492000-memory.dmp

      Filesize

      2.1MB

      Download