Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    247s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26-09-2024 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe

  • Size

    1.5MB

  • MD5

    dcc274470fb1b9922215f719d1c4640d

  • SHA1

    f772a0bf9a265426fdf5d3b9249d96a0ad68c834

  • SHA256

    1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495

  • SHA512

    d29d56465e364b6017e933a2cfa6ae79f5ddfc6fde75b452da66cbfb3cb97c662761b7bb785900c63519079949ec10d4806d405b1a11b1a49364c3ce01ad6e0c

  • SSDEEP

    24576:5u+ow/e8f4k3gbD9tysqjnhMgeiCl7G0nehbGZpbD:4+JAxMDmg27RnWGj

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe
    "C:\Users\Admin\AppData\Local\Temp\1b1c31832d9243da7835baa9d7e822c7ff18e6379ae3668840be6cd9f9575495.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1316
    • C:\Users\Admin\AppData\Local\Temp\neworigin.exe
      "C:\Users\Admin\AppData\Local\Temp\neworigin.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2792
    • C:\Users\Admin\AppData\Local\Temp\server_BTC.exe
      "C:\Users\Admin\AppData\Local\Temp\server_BTC.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2928
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3008
      • C:\Windows\SysWOW64\schtasks.exe
        "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 22:37 /du 23:59 /sc daily /ri 1 /f
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:768
      • C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
        "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of AdjustPrivilegeToken
        PID:2892
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFAE2.tmp.cmd""
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:372
        • C:\Windows\SysWOW64\timeout.exe
          timeout 6
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:1720
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {3EC86516-B40B-481D-86A0-730C4334F501} S-1-5-21-1488793075-819845221-1497111674-1000:UPNECVIU\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
      C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2840

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpFAE2.tmp.cmd
    Filesize

    162B

    MD5

    136a37ee02b55c76c2747ddf9748506d

    SHA1

    611fc22f9569ff2b0c45d63ce42aa504bbdf89bf

    SHA256

    2632c08e7ce587d85ba31a10e8805f67f4949e50bc3c94d42a412980b912897a

    SHA512

    1058d004fdf3aef181701c1d89182e898caaac2b16df03382e50a062d764ba488ba5d1bf99b7295a25695534f5e4e819ac9ca76360c1cc49b77676c46f6754bd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\neworigin.exe
    Filesize

    244KB

    MD5

    d6a4cf0966d24c1ea836ba9a899751e5

    SHA1

    392d68c000137b8039155df6bb331d643909e7e7

    SHA256

    dc441006cb45c2cfac6c521f6cd4c16860615d21081563bd9e368de6f7e8ab6b

    SHA512

    9fa7aa65b4a0414596d8fd3e7d75a09740a5a6c3db8262f00cb66cd4c8b43d17658c42179422ae0127913deb854db7ed02621d0eeb8ddff1fac221a8e0d1ca35

    Download Submit

  • \Users\Admin\AppData\Local\Temp\server_BTC.exe
    Filesize

    226KB

    MD5

    50d015016f20da0905fd5b37d7834823

    SHA1

    6c39c84acf3616a12ae179715a3369c4e3543541

    SHA256

    36fe89b3218d2d0bbf865967cdc01b9004e3ba13269909e3d24d7ff209f28fc5

    SHA512

    55f639006a137732b2fa0527cd1be24b58f5df387ce6aa6b8dd47d1419566f87c95fc1a6b99383e8bd0bcba06cc39ad7b32556496e46d7220c6a7b6d8390f7fc

    Download Submit

  • memory/1316-0-0x0000000001DF0000-0x0000000001E57000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1316-9-0x0000000001DF0000-0x0000000001E57000-memory.dmp

    Filesize

    412KB

    Download

  • memory/1316-8-0x0000000000400000-0x000000000058E000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2792-27-0x0000000001360000-0x00000000013A4000-memory.dmp

    Filesize

    272KB

    Download

  • memory/2792-29-0x0000000073FF0000-0x00000000746DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2792-52-0x0000000073FF0000-0x00000000746DE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2892-48-0x0000000001120000-0x000000000115E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2928-26-0x0000000073FFE000-0x0000000073FFF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2928-28-0x00000000010E0000-0x000000000111E000-memory.dmp

    Filesize

    248KB

    Download