Overview

overview

10

Static

static

3

Ödeme Bildirimi.exe

windows7-x64

10

Ödeme Bildirimi.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-09-2024 10:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ödeme Bildirimi.exe

  • Size

    810.6MB

  • MD5

    026d2f0bc075aea5b674ee8c8e28c062

  • SHA1

    50be7a17f99f47b288aa507a4f4b8175046af7be

  • SHA256

    dd6792c5b40433f5fa1e59f4e4b5c067c3f0986346904f9c6fe23bc61ca720a2

  • SHA512

    2bc047bc5a32cda240887d8cd19d9aa579e419e268a2678733673e33665fbaa681daaad9e82f4f108702763d4e8eaec03e1f15691d81d1b7add5d3fe0fb01ece

  • SSDEEP

    12288:E5MFKLltmvsXEuXfHgYxJig3Qt5qUu34HE1YQ/e9i72l:VFKOv0fHgYxJigKHE1YQWkE

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe
    "C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2928
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uNcbBGFuPZgDr.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uNcbBGFuPZgDr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp195A.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2852
    • C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe
      "C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"
      2⤵
        PID:2596
      • C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe
        "C:\Users\Admin\AppData\Local\Temp\Ödeme Bildirimi.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2536

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp195A.tmp
      Filesize

      1KB

      MD5

      bce8136c4a5a0a5b06986173e943ee4b

      SHA1

      fdf39dc106430c60deac1f5addd8d02e6e672d22

      SHA256

      c5abc7ece274f53ecd42bc9f40013e7261f9299f0e7d3a99badf3c0a1926a5d4

      SHA512

      b613c1ac92912c962cbaa91fe32d95727c63e21be50a4a550d49644ed8701dac0096086768657cdb36399de23cd21f1266bd5b41b932352307cc9418d1979386

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      0a65b66be963ae31e473c91942cdd30f

      SHA1

      ca794f6d37a8b74b2083b2dacd7f856fe7faef14

      SHA256

      97c30f20418a25a6940bbd61525c26740d8a8d514dfb3a68f5ae41273029bb27

      SHA512

      8e532ba8f7ca18abbb96b99d5ce65c7f4e07df5c6b17be604387dadd468b5d5da6b3725f9a9865bafbe9e908d747ea8be22d902cddda78c1e5113f0294cb18eb

      Download Submit

    • memory/2148-4-0x000000007463E000-0x000000007463F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2148-31-0x0000000074630000-0x0000000074D1E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2148-0-0x000000007463E000-0x000000007463F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2148-5-0x0000000074630000-0x0000000074D1E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2148-6-0x0000000005300000-0x0000000005384000-memory.dmp

      Filesize

      528KB

      Download

    • memory/2148-2-0x0000000074630000-0x0000000074D1E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2148-1-0x0000000000040000-0x00000000000E2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/2148-3-0x0000000000750000-0x0000000000760000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2536-19-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2536-28-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2536-30-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2536-29-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2536-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2536-25-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2536-23-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2536-22-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download