Analysis
-
max time kernel
98s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
09-09-2024 23:13
General
-
Target
VertaxNew/Vertax.exe
-
Size
4.3MB
-
MD5
32980bf90249d39c2bc463e6fb5cefa7
-
SHA1
76e18853ef019cff4b0015d1a6f8c47f3f506eba
-
SHA256
ed2d5f70ec106e4274bca6a85022a1fffad82c66745bde3c876962c06b75b61b
-
SHA512
156c9ffce33bf7b858bd85da726aa6ef6d8e9eee51d6c6072777037505619b144e332634158172cf36dcd3fa432fb266c32d1422f698ad1b4a9ca5087ed8c550
-
SSDEEP
98304:1GZqOKXmi+r5natSim9FH9yMpPsB3j2pmvLC/2CxEchlN36r:1GZqrXX+VneSimDHEMpPSKpmvLI7xEcA
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Themida packer 3 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Delays execution with timeout.exe 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VertaxNew\Vertax.exe"C:\Users\Admin\AppData\Local\Temp\VertaxNew\Vertax.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":false,"message":"Session not found. Use latest code. You can only have app opened 1 at a time."} && timeout /t 5"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"success":false,"message":"Session not found. Use latest code. You can only have app opened 1 at a time."} && timeout /t 5"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 54⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.4MB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
9.4MB
-
Filesize
9.4MB
-
Filesize
216KB
-
Filesize
408KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
2.1MB
-
Filesize
960KB
-
Filesize
72KB
-
Filesize
9.4MB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
960KB
-
Filesize
9.4MB
-
Filesize
960KB