Overview

overview

10

Static

static

6

captured_m...lK.exe

windows7-x64

10

captured_m...lK.exe

windows10-2004-x64

10

captured_m...gn.apk

android-9-x86

captured_m...22.apk

windows7-x64

3

captured_m...22.apk

windows10-2004-x64

3

captured_m...22.apk

android-9-x86

captured_m...22.apk

android-9-x86

captured_m...22.apk

android-9-x86

captured_m...cE.exe

windows7-x64

10

captured_m...cE.exe

windows10-2004-x64

10

captured_m...ak.exe

windows7-x64

10

captured_m...ak.exe

windows10-2004-x64

10

captured_m...ly.exe

windows7-x64

10

captured_m...ly.exe

windows10-2004-x64

10

captured_m...Ql.exe

windows7-x64

10

captured_m...Ql.exe

windows10-2004-x64

10

captured_m...tU.exe

windows7-x64

10

captured_m...tU.exe

windows10-2004-x64

10

captured_m...2z.exe

windows7-x64

3

captured_m...2z.exe

windows10-2004-x64

3

captured_m...MU.exe

windows7-x64

10

captured_m...MU.exe

windows10-2004-x64

10

captured_m...EU.exe

windows7-x64

3

captured_m...EU.exe

windows10-2004-x64

3

captured_m...Gs.exe

windows7-x64

3

captured_m...Gs.exe

windows10-2004-x64

3

captured_m...i6.exe

windows7-x64

3

captured_m...i6.exe

windows10-2004-x64

3

captured_m...CW.exe

windows7-x64

10

captured_m...CW.exe

windows10-2004-x64

10

captured_m...s6.exe

windows7-x64

10

captured_m...s6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 20:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    captured_malware/P0weOPjsmVN5OCW.exe

  • Size

    964KB

  • MD5

    98967ce40ebd4dac5ec4c937b9c755a3

  • SHA1

    1bfb7de1afa9ecd50945cdc5b7305b63b36c1520

  • SHA256

    002d56a69567db513519d5b528da88133425214a569e6f758dd20ac7492374fb

  • SHA512

    f92611d13b4943888e517fa864734b208911b729c8c471276d8a73018e1bbd0e2270095a89e6fd5a86c21d00f2242878b2cb1a581c070893684051aa5394c12d

  • SSDEEP

    24576:rW5OadePnRlODOlZ9FME0XdgR10F33p2/:rydePnRltH/M9dg10p

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.rhsmeridian.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    BD6009BMWX5+

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • AgentTesla payload 1 IoCs
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\captured_malware\P0weOPjsmVN5OCW.exe
    "C:\Users\Admin\AppData\Local\Temp\captured_malware\P0weOPjsmVN5OCW.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\captured_malware\P0weOPjsmVN5OCW.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1636
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mQltAFwXEwgbTQ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mQltAFwXEwgbTQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB193.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:3088
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mQltAFwXEwgbTQ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:484
    • C:\Users\Admin\AppData\Local\Temp\captured_malware\P0weOPjsmVN5OCW.exe
      "C:\Users\Admin\AppData\Local\Temp\captured_malware\P0weOPjsmVN5OCW.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:876

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    3d086a433708053f9bf9523e1d87a4e8

    SHA1

    b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

    SHA256

    6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

    SHA512

    931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    407142d068970efcfcd6fe493e036933

    SHA1

    aea755722d3d026c8b837e25b67cbc19d39be6ef

    SHA256

    11eb86a452c1ea6cd79873bbb0fc8c9f516231a80add2dde14f65912210ec552

    SHA512

    2f58fc5c2c98d77851140a4a60d51eea9c922e360ecc9ab2a765923538eb89d4b48a68dcc43a5603ce98389a9461e5d301b9b2593dea2dbca3df52757a90ec68

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    1c9d310f565d368fefc26dc91eeff6b0

    SHA1

    68a41de45db1b696e91fb06fefca6259aeb02ba3

    SHA256

    48897c14d10d8863555fecae91665f5bb8d7aaf0af2f84b7aa138e8b9afeb712

    SHA512

    730b8b879321cfd23ba872fae0e8f26322212aa787c25d1cdd6563152ef2f7e2ca483ef668c9a4c432df8d2db2eebe1e67f999e924d5cdbbcb6456aabc4a4f11

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_andblbwv.2al.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmpB193.tmp
    Filesize

    1KB

    MD5

    44acf9592fa69b2864445131d9254706

    SHA1

    13d19844069f68b140fee75a4f29df608290c1c0

    SHA256

    7337ecb07db88d8b9cd9f957100b0fc22c5e2abc1a0444b2dd89374b97d2638c

    SHA512

    01b96d4cb11b7cd8f767f6604061b131a6a1faa6fce5eded4aa9c846293742cfd6d703ff2d96eb85caa621784da20bb776c46d54eea569725fed98d5dbf593c1

    Download Submit

  • memory/484-102-0x0000000007310000-0x0000000007318000-memory.dmp

    Filesize

    32KB

    Download

  • memory/484-101-0x0000000007330000-0x000000000734A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/484-87-0x000000006F800000-0x000000006F84C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/876-112-0x00000000051D0000-0x00000000051E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/876-47-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1636-84-0x0000000007640000-0x0000000007CBA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/1636-99-0x0000000007220000-0x000000000722E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1636-109-0x00000000745E0000-0x0000000074D90000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-86-0x0000000007060000-0x000000000706A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1636-18-0x00000000023C0000-0x00000000023F6000-memory.dmp

    Filesize

    216KB

    Download

  • memory/1636-19-0x00000000745E0000-0x0000000074D90000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-20-0x0000000004F20000-0x0000000005548000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/1636-21-0x00000000745E0000-0x0000000074D90000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-22-0x00000000745E0000-0x0000000074D90000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1636-85-0x0000000006FF0000-0x000000000700A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1636-26-0x0000000005630000-0x0000000005696000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1636-83-0x0000000006ED0000-0x0000000006F73000-memory.dmp

    Filesize

    652KB

    Download

  • memory/1636-61-0x00000000062A0000-0x00000000062D2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/1636-62-0x000000006F800000-0x000000006F84C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/1636-25-0x00000000055C0000-0x0000000005626000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1636-49-0x0000000005CD0000-0x0000000005CEE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1636-24-0x0000000004EF0000-0x0000000004F12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1636-50-0x0000000005D00000-0x0000000005D4C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2276-97-0x0000000007930000-0x00000000079C6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/2276-108-0x00000000745E0000-0x0000000074D90000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2276-100-0x00000000078F0000-0x0000000007904000-memory.dmp

    Filesize

    80KB

    Download

  • memory/2276-98-0x00000000078B0000-0x00000000078C1000-memory.dmp

    Filesize

    68KB

    Download

  • memory/2276-82-0x0000000007360000-0x000000000737E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2276-72-0x000000006F800000-0x000000006F84C000-memory.dmp

    Filesize

    304KB

    Download

  • memory/2276-27-0x00000000745E0000-0x0000000074D90000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2276-23-0x00000000745E0000-0x0000000074D90000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5016-7-0x00000000745E0000-0x0000000074D90000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5016-6-0x0000000005A70000-0x0000000005AC6000-memory.dmp

    Filesize

    344KB

    Download

  • memory/5016-51-0x00000000745E0000-0x0000000074D90000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5016-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5016-10-0x00000000745EE000-0x00000000745EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5016-11-0x00000000745E0000-0x0000000074D90000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5016-9-0x0000000007420000-0x000000000742C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/5016-13-0x0000000009D10000-0x0000000009D8A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/5016-5-0x0000000005830000-0x000000000583A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5016-4-0x0000000005860000-0x00000000058F2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5016-3-0x0000000005D70000-0x0000000006314000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5016-12-0x00000000076B0000-0x0000000007768000-memory.dmp

    Filesize

    736KB

    Download

  • memory/5016-8-0x0000000006320000-0x0000000006674000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/5016-2-0x0000000005720000-0x00000000057BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5016-1-0x0000000000C90000-0x0000000000D88000-memory.dmp

    Filesize

    992KB

    Download