Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-10-2024 15:08

General

  • Target

    agentesla/06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe

  • Size

    366KB

  • MD5

    b29263b5d35ffce3eef6a54549966724

  • SHA1

    23d474b87f0698a3c954aeeffc9e2b7777aa8731

  • SHA256

    06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871

  • SHA512

    ecdb4111613d82b06d23cb6d57ce0c1e48f06e8fa44e9c32a478a58e377bfe3170037e049035cc8b90dda74b228e52962035378c8b01cf9c6c2bd9120aaf7688

  • SSDEEP

    6144:OOTNj/znzNEu816TkUzhD6dmo9FUiK2FpSMtZSYVM/SxRCVEt1Lakl:3j/znzNEu816T5zhD6Yq5Fp37SYbTaML

Malware Config

Extracted

Family

agenttesla

Credentials

Extracted

Family

remcos

Version

1.7 Pro

Botnet

Host

C2

104.129.27.19:2404

Attributes
  • audio_folder

    audio

  • audio_path

    %AppData%

  • audio_record_time

    5

  • connect_delay

    0

  • connect_interval

    5

  • copy_file

    remcos.exe

  • copy_folder

    remcos

  • delete_file

    false

  • hide_file

    false

  • hide_keylog_file

    false

  • install_flag

    false

  • install_path

    %WinDir%

  • keylog_crypt

    false

  • keylog_file

    logs.dat

  • keylog_flag

    false

  • keylog_folder

    remcos

  • keylog_path

    %AppData%

  • mouse_option

    false

  • mutex

    remcos_lojuxaaqmwpnhvc

  • screenshot_crypt

    false

  • screenshot_flag

    false

  • screenshot_folder

    Screens

  • screenshot_path

    %AppData%

  • screenshot_time

    1

  • startup_value

    remcos

  • take_screenshot_option

    false

  • take_screenshot_time

    5

Extracted

Family

asyncrat

Version

0.5.8

Botnet

Default

C2

104.129.27.19:6606

104.129.27.19:7707

104.129.27.19:8808

Mutex

ppUf6LQ00ujy

Attributes
  • delay

    3

  • install

    false

  • install_folder

    %AppData%

aes.plain

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Remcos

    Remcos is a closed-source remote control and surveillance software.

  • Async RAT payload 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\agentesla\06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe
    "C:\Users\Admin\AppData\Local\Temp\agentesla\06c9e20878f14ce4cba1a0c2bc40117f609a550543a2aecba751c17851fb1871.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2376
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2872
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of WriteProcessMemory
      PID:2808
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'HWMonitor' -Value '"C:\Windows\system32\HWMonitor\HWMonitor.exe"' -PropertyType 'String'
        3⤵
        • Adds Run key to start application
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:540
      • C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe
        "C:\Windows\system32\HWMonitor\HWMonitor.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        PID:2496
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\crss.exe

    Filesize

    10KB

    MD5

    caf9747a01a99245a0b3df133dd85191

    SHA1

    c8429f9d5d1d9768e22019fcac5f0d4b59c006a6

    SHA256

    6d0d83d060bc279825425757101698e702f3e71c53639270c63b24216fcbcd3f

    SHA512

    efde236d9924598aa1b3b54b1711b9bbea194bd4a392781aa3c71dca55a0e0188bc8452468497538ee7444ee8803ab4c5865f821fd7aba60b811ed72ebd57ce7

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\dllhostservices.exe

    Filesize

    36KB

    MD5

    64836f3e257a5b415711abc3b6ea6323

    SHA1

    f52f8588801554eaf4e495784b84f830c4afeaf4

    SHA256

    3f02a631dce0c4a4acd39ca731eae0ebda74ea65bfe90573d2ab226bab1dc234

    SHA512

    f3418f421ff0d0bfefd37e5ad75f9d2ffe40953333b90a01ab015942f36333fc4c0e03e468e725e6d8bb5573d9c058aeb889336fee77099db2ddfdfd1a7822f9

  • C:\Windows\SysWOW64\HWMonitor\HWMonitor.exe

    Filesize

    37.2MB

    MD5

    4de02f7704af0b408375810ec01c7e43

    SHA1

    a94b5287df2d34a7db983574c647d1247609b541

    SHA256

    f31652f75764d59b0108f54074cb36e2d7328031bc154afeb0ce98c8a110557d

    SHA512

    7549844d0cbdc027f4cdc9ee09cee453ddc97da3a90ff9690e2749a130abd62c048a37969a9899bfbd4b4aacea1961d5bffa8464c0220984176b131fa76b943c

  • \Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\svchostservice.exe

    Filesize

    45KB

    MD5

    962b8a0da7f38404ae75698d445d2f82

    SHA1

    afefd1bc3f70d9a03621a22715ea1001a8d4427b

    SHA256

    940d979a6e48061d85288ff57e6865087d7c0362774bd7d2caebfdc7b02914eb

    SHA512

    e1092a2f4c3877eca9d6f67b4da78fecae66bc5fd49d190f796358c245b005a3c6fbd49496bfb4b1ea688c6719c0ca4f963f49b192c97dcb518d5cd4c42bbc68

  • memory/2376-19-0x0000000074470000-0x0000000074B5E000-memory.dmp

    Filesize

    6.9MB

  • memory/2376-33-0x0000000004C00000-0x0000000004C19000-memory.dmp

    Filesize

    100KB

  • memory/2376-23-0x0000000004C00000-0x0000000004C19000-memory.dmp

    Filesize

    100KB

  • memory/2376-1-0x0000000000A10000-0x0000000000A72000-memory.dmp

    Filesize

    392KB

  • memory/2376-2-0x0000000074470000-0x0000000074B5E000-memory.dmp

    Filesize

    6.9MB

  • memory/2376-20-0x0000000004C00000-0x0000000004C19000-memory.dmp

    Filesize

    100KB

  • memory/2376-0-0x000000007447E000-0x000000007447F000-memory.dmp

    Filesize

    4KB

  • memory/2376-36-0x0000000004C00000-0x0000000004C19000-memory.dmp

    Filesize

    100KB

  • memory/2376-3-0x000000007447E000-0x000000007447F000-memory.dmp

    Filesize

    4KB

  • memory/2496-46-0x0000000000180000-0x0000000000188000-memory.dmp

    Filesize

    32KB

  • memory/2808-31-0x0000000000F80000-0x0000000000F88000-memory.dmp

    Filesize

    32KB

  • memory/2872-34-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2872-38-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2872-22-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2872-51-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2872-54-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2872-57-0x0000000000400000-0x0000000000419000-memory.dmp

    Filesize

    100KB

  • memory/2928-32-0x0000000000D90000-0x0000000000DA2000-memory.dmp

    Filesize

    72KB