Overview

overview

10

Static

static

5

Materials_...8W.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250313-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/04/2025, 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Materials_Technical_Details_Order_BD298_N78W.exe

  • Size

    1.6MB

  • MD5

    f664590d422d04b09a429b5cccd3e43b

  • SHA1

    13bbba67e66f84ed51cf58f921e99c0409cb08fd

  • SHA256

    ccca9a72aa09a05d727e82e02dfd145f71e5c48e09b4b77c35995ca8ef162fb4

  • SHA512

    0489adf9e6f44dfbb2a86e366fb184410844fc6a6fcc7f82637cb3407904e3b831728699d170a5c4efd65a44f84818d36e0c6573a2a54ba6a839052cecb23ee6

  • SSDEEP

    49152:bu0c++OCvkGs9Fax9hsuaRaV5Db0uk+EmZN/srY:aB3vkJ9q1EiXGr

Score
10/10
agentteslaredlinesuccessdiscoveryinfostealerkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.dkplus.com.tr
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    04rf710m29

Extracted

Family

redline

Botnet

success

C2

204.10.161.147:7082

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • Redline family
    redline
  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Materials_Technical_Details_Order_BD298_N78W.exe
    "C:\Users\Admin\AppData\Local\Temp\Materials_Technical_Details_Order_BD298_N78W.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4080
    • C:\Users\Admin\AppData\Local\Bohmerwald\porcelainization.exe
      "C:\Users\Admin\AppData\Local\Temp\Materials_Technical_Details_Order_BD298_N78W.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:5564
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\Materials_Technical_Details_Order_BD298_N78W.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Users\Admin\AppData\Local\Temp\build.exe
          "C:\Users\Admin\AppData\Local\Temp\build.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3128
        • C:\Users\Admin\AppData\Local\Temp\Cmartins.exe
          "C:\Users\Admin\AppData\Local\Temp\Cmartins.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:676
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5564 -s 688
        3⤵
        • Program crash
        PID:3120
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 5564 -ip 5564
    1⤵
      PID:3996

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Bohmerwald\porcelainization.exe
      Filesize

      1.6MB

      MD5

      f664590d422d04b09a429b5cccd3e43b

      SHA1

      13bbba67e66f84ed51cf58f921e99c0409cb08fd

      SHA256

      ccca9a72aa09a05d727e82e02dfd145f71e5c48e09b4b77c35995ca8ef162fb4

      SHA512

      0489adf9e6f44dfbb2a86e366fb184410844fc6a6fcc7f82637cb3407904e3b831728699d170a5c4efd65a44f84818d36e0c6573a2a54ba6a839052cecb23ee6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cmartins.exe
      Filesize

      247KB

      MD5

      65b6608a990b2ccf94df5039f31a474d

      SHA1

      7e8478b76217639b63b10cedafdbc16a472da3a5

      SHA256

      8a6ce01f31abcd7c369b2c89932ec966a8e275ed392965def516c65f94efbc95

      SHA512

      7ece11b7c85bafcaaa71e58bfb405354588845dfa4c06e922ef852c40bf46261482d63f8b91c2614d8ed6fcbb7023f0f1c63db0e60f0152f4e858280d6894a75

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\aut488F.tmp
      Filesize

      720KB

      MD5

      d1913ebb8503347795e94361602d83a6

      SHA1

      66811e9678a955adf66806626df47a6d54863bd2

      SHA256

      0d8587e94e04b12fddd91f62ea600e8b746b3711ea9625e7fe9ed9374b044086

      SHA512

      ff008d1f11a03a94f3249e2819c4757ebb656e7960c2f37cd7a641fbeb9272b6987912e91a968dc6f38e3a874a76ca4795862d26faf2d105d1f85f6ab058ec03

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\build.exe
      Filesize

      300KB

      MD5

      209b15fade618af5831e6e2528a4fedc

      SHA1

      2efc49db01f3df2c1cd0a528c75e466a9478b698

      SHA256

      f07a706c0554ed9363bd396dd49f788a0df232caf0af01161d831a12b95d964d

      SHA512

      3431efa0cfe6c2262ed07a9fe084567d9548e586efcfa752e0cec455e07f8a3e6b3acacacef77317881a0682358cf92d37abad80730560c33cb1e2d564afa8be

      Download Submit

    • memory/676-93-0x0000000006450000-0x00000000064EC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/676-92-0x0000000006360000-0x00000000063B0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/676-79-0x00000000001F0000-0x0000000000234000-memory.dmp

      Filesize

      272KB

      Download

    • memory/676-85-0x0000000004BE0000-0x0000000004C46000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3128-88-0x0000000005C60000-0x0000000005D6A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3128-84-0x00000000058F0000-0x0000000005982000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3128-95-0x0000000008AA0000-0x0000000008FCC000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/3128-94-0x00000000083A0000-0x0000000008562000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3128-91-0x0000000005D70000-0x0000000005DBC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3128-90-0x0000000005BF0000-0x0000000005C2C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3128-89-0x0000000005B90000-0x0000000005BA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3128-87-0x00000000069C0000-0x0000000006FD8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3128-82-0x0000000000FF0000-0x0000000001042000-memory.dmp

      Filesize

      328KB

      Download

    • memory/3128-86-0x0000000005AB0000-0x0000000005ABA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4080-8-0x0000000001390000-0x0000000001790000-memory.dmp

      Filesize

      4.0MB

      Download

    • memory/4684-48-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-24-0x0000000000400000-0x00000000004B8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/4684-27-0x0000000000400000-0x00000000004B8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/4684-80-0x0000000073F30000-0x00000000746E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4684-83-0x0000000073F30000-0x00000000746E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4684-44-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-26-0x0000000000400000-0x00000000004B8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/4684-29-0x00000000059B0000-0x0000000005A50000-memory.dmp

      Filesize

      640KB

      Download

    • memory/4684-50-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-81-0x0000000000400000-0x00000000004B8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/4684-25-0x0000000000400000-0x00000000004B8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/4684-52-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-54-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-28-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4684-55-0x0000000073F30000-0x00000000746E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4684-42-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-46-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-40-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-38-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-36-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-33-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-34-0x0000000005AD0000-0x0000000005B69000-memory.dmp

      Filesize

      612KB

      Download

    • memory/4684-30-0x0000000073F30000-0x00000000746E0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4684-32-0x0000000005AD0000-0x0000000005B6E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/4684-31-0x0000000006080000-0x0000000006624000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/5564-22-0x0000000001160000-0x0000000001560000-memory.dmp

      Filesize

      4.0MB

      Download