Overview

overview

10

Static

static

3

0OMR3ePpuy1emRH.exe

windows7-x64

10

0OMR3ePpuy1emRH.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2024 11:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0OMR3ePpuy1emRH.exe

  • Size

    771KB

  • MD5

    96226c303c0d7bbf9a574046946d1862

  • SHA1

    923b5a8ded7e983f8214cf744e1f0fb647780cf0

  • SHA256

    25cfe85f9d0fe6844572b38f882976b95ef8570d046500d5dcb39d654d2a4532

  • SHA512

    e33313adbb198dec24e53468cc230b4318db467089ae8f212478ee67dc6d93bdd59871b1cf466fa62dd8fcf8c28ab6895f8a40eaf35d4459275fd2429eab836a

  • SSDEEP

    12288:RWDT77O+qDIVPm4qcEsoLjT+2PK2g+FSl6flLjjWMDducC6VgKWE:0n7vVPm++D+2S2W6lan6V99

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.apexrnun.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    %qroUozO;(C2Rlyb

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0OMR3ePpuy1emRH.exe
    "C:\Users\Admin\AppData\Local\Temp\0OMR3ePpuy1emRH.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\0OMR3ePpuy1emRH.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2804
    • C:\Users\Admin\AppData\Local\Temp\0OMR3ePpuy1emRH.exe
      "C:\Users\Admin\AppData\Local\Temp\0OMR3ePpuy1emRH.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4524

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\0OMR3ePpuy1emRH.exe.log
    Filesize

    1KB

    MD5

    31f95c36ee4b5ac1ffcbdc89b3bcabc0

    SHA1

    d38fddab78283c1cc05cc55652222cd7e5a484aa

    SHA256

    88486792973340aafc9db775eadfaa849d05a5e2ed25a38e67febcdf70213ce6

    SHA512

    9acb665346143d8622613d047502a65615ea369db94281b20cb5bea6dac18f397f8c0144e8d4a201d94cd36b229ad9a31ce4a4a11e1fdcd19e6496a035032072

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j5n2hqzl.lvc.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2804-51-0x0000000007AF0000-0x000000000816A000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2804-52-0x0000000007440000-0x000000000745A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2804-23-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2804-24-0x0000000005150000-0x0000000005172000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2804-60-0x0000000007770000-0x0000000007778000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2804-59-0x0000000007790000-0x00000000077AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2804-58-0x0000000007690000-0x00000000076A4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2804-57-0x0000000007680000-0x000000000768E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2804-55-0x0000000007650000-0x0000000007661000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2804-54-0x00000000076D0000-0x0000000007766000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2804-53-0x00000000074C0000-0x00000000074CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2804-35-0x0000000005AC0000-0x0000000005E14000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2804-50-0x0000000007120000-0x00000000071C3000-memory.dmp

    Filesize

    652KB

    Download

  • memory/2804-49-0x0000000007100000-0x000000000711E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2804-18-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2804-25-0x00000000051F0000-0x0000000005256000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2804-17-0x0000000002800000-0x0000000002836000-memory.dmp

    Filesize

    216KB

    Download

  • memory/2804-21-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2804-22-0x0000000005490000-0x0000000005AB8000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2804-39-0x0000000071010000-0x000000007105C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2804-63-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2804-38-0x00000000070C0000-0x00000000070F2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2804-37-0x00000000061B0000-0x00000000061FC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2804-36-0x0000000006130000-0x000000000614E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3792-5-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3792-9-0x000000007539E000-0x000000007539F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3792-4-0x0000000005430000-0x000000000543A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3792-3-0x0000000005AE0000-0x0000000006084000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3792-6-0x0000000005720000-0x00000000057BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3792-16-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3792-7-0x0000000006C00000-0x0000000006CA0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3792-0-0x000000007539E000-0x000000007539F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3792-2-0x0000000005490000-0x0000000005522000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3792-8-0x00000000056F0000-0x0000000005708000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3792-11-0x0000000006A50000-0x0000000006AD4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/3792-10-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3792-1-0x0000000000970000-0x0000000000A38000-memory.dmp

    Filesize

    800KB

    Download

  • memory/4524-56-0x0000000006C90000-0x0000000006CE0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4524-12-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4524-15-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4524-20-0x0000000005740000-0x00000000057A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4524-19-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4524-64-0x0000000075390000-0x0000000075B40000-memory.dmp

    Filesize

    7.7MB

    Download