Overview

overview

10

Static

static

5

f004d128db...ae.exe

windows7-x64

7

f004d128db...ae.exe

windows10-2004-x64

Analysis

  • max time kernel
    19s
  • max time network
    31s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-11-2024 02:02

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    f004d128db0d7e80af095757c5ca81e475e4323148a5a6528e974c66a1a76eae.exe

  • Size

    1.6MB

  • MD5

    f8773716460bbffd6ca7747301d73d78

  • SHA1

    640643fb458e5f4faa92721faeda202e2096e387

  • SHA256

    f004d128db0d7e80af095757c5ca81e475e4323148a5a6528e974c66a1a76eae

  • SHA512

    68824288a6f8c9e8857ab5c5bcc3b34d166da53e24e6591d480d9e1050af57e14c00c1c2b20f60ded76fce2a4d3cabd4b441dc194f64a726861988c4e7897d7e

  • SSDEEP

    24576:6tb20pUaCqT5TBWgNQ7aJXpGb3Lspm5Pd/pX6AXsqjnhMgeiCl7G0nehbGZpbD:nhg5tQ7aJXpGb3ImzB5rDmg27RnWGj

Score
10/10
agentteslaredlinexwormfozdiscoveryinfostealerkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

FOZ

C2

212.162.149.53:36014

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Detect Xworm Payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Drops startup file 2 IoCs
  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 13 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f004d128db0d7e80af095757c5ca81e475e4323148a5a6528e974c66a1a76eae.exe
    "C:\Users\Admin\AppData\Local\Temp\f004d128db0d7e80af095757c5ca81e475e4323148a5a6528e974c66a1a76eae.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:540
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\f004d128db0d7e80af095757c5ca81e475e4323148a5a6528e974c66a1a76eae.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1784
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    PID:3060
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:3308
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1712
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1900
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:1244
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3224
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:2644
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:3332
    • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
      "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
      1⤵
      • Executes dropped EXE
      PID:2180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      Filesize

      2.1MB

      MD5

      0c9645890afab56f90acd44916f1406a

      SHA1

      031b98397d784b425f05d697e24d29d7f5afb388

      SHA256

      b4239d7530db9675677cc4073979d1a8d65a9dac92f8308db92d5899ba8f057e

      SHA512

      984a50af8e1532d85ef5edf39566ae346223478bc3fd06387807100d1b0dadf8b359ac9637751b0494752435710f65d5192ed346e2bb4a67bcaa9270529fb47b

      Download Submit

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      Filesize

      1.3MB

      MD5

      06dcd5f18ca6583344fea738184828b5

      SHA1

      31f0581aeb4006cdd6a8cf5faba4a84ee69f7a51

      SHA256

      58f0af1fb1202055973eb0df8ee691f4d4e9e16ad168b71a5698afa0cf42b100

      SHA512

      eacd00f1592fe4a43b6fc25503623d8b44005c09a5bb844c413fe14f1826d2c2c9e6948dc777c1d9edb07e86a07cc129bba69aadcf2c7dcb20409eb113932cbb

      Download Submit

    • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
      Filesize

      1.3MB

      MD5

      f477da9a286a915298f09a7327d89236

      SHA1

      7573caa1a1d3db336a9d894754fff7a84cae8c43

      SHA256

      25eda8e6d2c13a086f75a62c13831c48e763243c30567195246e9576b41dfe64

      SHA512

      7e15d7eb7b6d191b9448602525456abf76a64262a5f2790e4901b16247fe629aef2f34a80ed27b4eafdcf01138769600325f3781e1a1be1b343d6c54d21e5d40

      Download Submit

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      Filesize

      2.1MB

      MD5

      2dc6603413e4d5f1aed8765ab13f0aad

      SHA1

      1a1312f6da22bd2590444284832325b760a1c146

      SHA256

      391023a4656fceb2dcc58be6eb5000bd874b96168445e9f044cdddf1a69444fb

      SHA512

      293577ff8cb83ddd3ed086899d86d9afd12d331d79f853ccf0398496b4450522df91aefc26c909fc354d5f8ea83dff636c46cb0c4261c29942482221b1ed3b92

      Download Submit

    • C:\Users\Admin\AppData\Roaming\XClient.exe
      Filesize

      1.1MB

      MD5

      cd747a2a10e48b08abff9063f730588a

      SHA1

      7c02843984da6db88c0be3d03d68e91b5c1518f2

      SHA256

      5a11b5bac78cb76e108d9597fda90d1ab46995424dbcaecf0d00be3d4a2795cf

      SHA512

      7955b455d9213b28ac357051c1f79a5c7902329a67030bc8a88182df7b76028457ed14ea98eaf9bf99949e0bed1cb1046038e11e5e9122897b2f2f79a5460142

      Download Submit

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
      Filesize

      1.2MB

      MD5

      ed5a1531c4892dce06e785c4f3825b69

      SHA1

      ae8ad26d12cb7679186eddda1b4d6f6396cb48a0

      SHA256

      d43afa086e1f3dc8462fb344edd1998c7c9795f134146ec62ca3c4caca1f4de7

      SHA512

      bce918370ccc9707d07a88920947afaf4f770b702003bdba9027306289e034864337fe479e67305b241564f27f50654f2d74573717ba880bc0d754f33160bcdf

      Download Submit

    • C:\Windows\System32\FXSSVC.exe
      Filesize

      1.2MB

      MD5

      51fcd6612ad42736433f98b1fb745d92

      SHA1

      3a5610a0fb17329c2fe6c5e5e5aee296ffd3612d

      SHA256

      1cb78038111137e513513d82c9794241013c6eacacb99e2fe2c3f9b136e07ccd

      SHA512

      4b64ced7a782db3b289df91ec508d74ce0fa452b7d7212c25ab34759f5f8bf573980fba1b07072713637ed4e9f30addc5b3311ab2d0ac93cfdc19aa3d0276d8d

      Download Submit

    • C:\Windows\System32\alg.exe
      Filesize

      1.2MB

      MD5

      758bed9fd7bb1c59a2d6adc6b8d21be4

      SHA1

      83b51ffe5867c4b7d50286b4c230dd30524b1f64

      SHA256

      ce3bc8feef7b2d7bea6677a60a5930e868a8029a52c1d9ad9085d314d4ec721a

      SHA512

      06f48d671b18e01763780ed9016c7cee21c6fa0089bd49bccfd88e2f9ce4a3c471de515cc25825d1a6ecf4cbe56594832a7b9c8f6840178875e8abfd09b5eeef

      Download Submit

    • C:\Windows\System32\msdtc.exe
      Filesize

      1.2MB

      MD5

      963228137690aa0260e381cd18a4a784

      SHA1

      ff2e2b0176cdf961dee3790eff389578ff8696d3

      SHA256

      e331a0760ba65aa55c35d18750c3a8b2b38ec360f742389ac3071c5c22eed875

      SHA512

      95de3e52937f0329dda1f6d16711c630c985d168f8e282e81877872f5a282d6dbbcf5e6ebdd2798bf9052913dbafa1f9aaf9a984c02b18ae6e55eed51dec420e

      Download Submit

    • C:\Windows\system32\AppVClient.exe
      Filesize

      1.3MB

      MD5

      d151a8488784d8a66579a5d213d04975

      SHA1

      f8d21ff78c789823bb7b67a26ca4f3eb56d97eeb

      SHA256

      195b830ae0f0fd77df4f0bd5d9df154599c540cc0ceb802ab85972a312299044

      SHA512

      5ec7cbb4f1cf736cae701c9b1ac023146e8c2cadc3237c464c1fce2d2b5e93bd080acaf2db12d861c5dc53a804810c2eaab58dc378bd0af99c2cb201de689e6c

      Download Submit

    • C:\Windows\system32\msiexec.exe
      Filesize

      1.1MB

      MD5

      c13d60c75d2c5f8c41d9de55b2eb4a4b

      SHA1

      b81e8c1f2a7a2416c6bae7354b0e5aaca0695137

      SHA256

      c990371f6730af505ce25ac1865e634f347da16497f8ea9b104cb98d99e481c5

      SHA512

      80a64369f3bfc9796b2b6b782d4cce11926b0980efa7bc9c9ed9ade9f9dfcdb424d782749b70ea79906d6b282c1375d451f05a18a1d2645269cc82a2f3047e25

      Download Submit

    • memory/540-112-0x0000000000400000-0x00000000005A5000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/540-0-0x0000000000400000-0x00000000005A5000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/540-81-0x0000000000400000-0x00000000005A5000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/540-6-0x0000000001B30000-0x0000000001B97000-memory.dmp

      Filesize

      412KB

      Download

    • memory/540-1-0x0000000001B30000-0x0000000001B97000-memory.dmp

      Filesize

      412KB

      Download

    • memory/1244-501-0x0000000140000000-0x0000000140234000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1244-53-0x0000000000710000-0x0000000000770000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1244-59-0x0000000000710000-0x0000000000770000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1244-60-0x0000000140000000-0x0000000140234000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/1784-499-0x00000000068B0000-0x00000000068BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1784-139-0x0000000005DC0000-0x0000000006364000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1784-349-0x0000000005950000-0x00000000059EC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/1784-140-0x0000000005870000-0x0000000005894000-memory.dmp

      Filesize

      144KB

      Download

    • memory/1784-134-0x00000000055E0000-0x0000000005606000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1784-498-0x0000000006920000-0x00000000069B2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1784-509-0x0000000007530000-0x0000000007596000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1784-510-0x0000000008090000-0x00000000080E2000-memory.dmp

      Filesize

      328KB

      Download

    • memory/1784-511-0x0000000008700000-0x0000000008D18000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1784-512-0x0000000008290000-0x00000000082D4000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1784-513-0x00000000083A0000-0x00000000084AA000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/1900-38-0x0000000000830000-0x0000000000890000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1900-51-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1900-37-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/1900-46-0x0000000000830000-0x0000000000890000-memory.dmp

      Filesize

      384KB

      Download

    • memory/1900-52-0x0000000000830000-0x0000000000890000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2180-508-0x0000000140000000-0x0000000140155000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2180-125-0x0000000140000000-0x0000000140155000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2644-93-0x0000000002270000-0x00000000022D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2644-83-0x0000000002270000-0x00000000022D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2644-89-0x0000000002270000-0x00000000022D0000-memory.dmp

      Filesize

      384KB

      Download

    • memory/2644-97-0x0000000140000000-0x0000000140155000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/2644-82-0x0000000140000000-0x0000000140155000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/3060-126-0x0000000140000000-0x0000000140130000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3060-20-0x00000000006D0000-0x0000000000730000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3060-11-0x0000000140000000-0x0000000140130000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3060-12-0x00000000006D0000-0x0000000000730000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3224-506-0x0000000140000000-0x000000014022B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3224-64-0x0000000140000000-0x000000014022B000-memory.dmp

      Filesize

      2.2MB

      Download

    • memory/3224-65-0x00000000001A0000-0x0000000000200000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3224-71-0x00000000001A0000-0x0000000000200000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3308-34-0x00000000006A0000-0x0000000000700000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3308-26-0x00000000006A0000-0x0000000000700000-memory.dmp

      Filesize

      384KB

      Download

    • memory/3308-25-0x0000000140000000-0x000000014012F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3308-382-0x0000000140000000-0x000000014012F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3332-96-0x0000000140000000-0x000000014013F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3332-507-0x0000000140000000-0x000000014013F000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/3332-98-0x0000000000C70000-0x0000000000CD0000-memory.dmp

      Filesize

      384KB

      Download