Overview

overview

10

Static

static

7

无害_loser.exe

windows10-2004-x64

10

无害_loser.exe

windows10-1703-x64

10

无害_loser.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    453s
  • max time network
    454s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-06-2024 06:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    无害_loser.exe

  • Size

    5.2MB

  • MD5

    c81c10d2b6f80f12fe481141d70c536e

  • SHA1

    90b79aa16857a42466fcc2181e91701ffbf5d5a1

  • SHA256

    ea458deec798ececbd3fda65fc05928c0cfc4c54eccc76f68c8dfc6d1e434024

  • SHA512

    1648f975ffb40ba3d2c2a5b4b672a610cc92ae7afce1f71299f0636ff931bb351a0506929596e001780c434a2b5d467cfe721f72596d1bc8a053b6c08bbcb25d

  • SSDEEP

    98304:4AnfzVUmMRJDbHhGUUu4d1Ma04HFlaUxe9c4+rlNL2fSBm8b91a2:4Anfzum+nYD1z75e9P+rlN2aU8va

Score
10/10
agentteslaevasionkeyloggerransomwarespywarestealerthemidatrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Themida packer 3 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\无害_loser.exe
    "C:\Users\Admin\AppData\Local\Temp\无害_loser.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Sets desktop wallpaper using registry
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1064
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:4424
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:1208

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1
T1497

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

1
T1497

System Information Discovery

4
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
    Filesize

    64KB

    MD5

    d2fb266b97caff2086bf0fa74eddb6b2

    SHA1

    2f0061ce9c51b5b4fbab76b37fc6a540be7f805d

    SHA256

    b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a

    SHA512

    c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8

    Download Submit
  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock
    Filesize

    4B

    MD5

    f49655f856acb8884cc0ace29216f511

    SHA1

    cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

    SHA256

    7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

    SHA512

    599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

    Download Submit
  • C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
    Filesize

    944B

    MD5

    6bd369f7c74a28194c991ed1404da30f

    SHA1

    0f8e3f8ab822c9374409fe399b6bfe5d68cbd643

    SHA256

    878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d

    SHA512

    8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93

    Download Submit
  • memory/1064-17-0x0000000005B70000-0x0000000005C02000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1064-19-0x0000000010000000-0x0000000010214000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1064-1-0x00000000766F0000-0x00000000766F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1064-6-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-7-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-12-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-14-0x0000000000400000-0x000000000130A000-memory.dmp
    Filesize

    15.0MB

    Download
  • memory/1064-15-0x0000000000400000-0x000000000130A000-memory.dmp
    Filesize

    15.0MB

    Download
  • memory/1064-16-0x0000000005C70000-0x0000000006214000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1064-38-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-18-0x0000000006390000-0x000000000639A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1064-3-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-21-0x0000000000400000-0x000000000130A000-memory.dmp
    Filesize

    15.0MB

    Download
  • memory/1064-23-0x00000000766F0000-0x00000000766F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1064-24-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-0-0x0000000000400000-0x000000000130A000-memory.dmp
    Filesize

    15.0MB

    Download
  • memory/1064-4-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-5-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-2-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-44-0x0000000000400000-0x000000000130A000-memory.dmp
    Filesize

    15.0MB

    Download
  • memory/1064-43-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-40-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/1064-39-0x00000000766D0000-0x00000000767C0000-memory.dmp
    Filesize

    960KB

    Download
  • memory/4424-25-0x00000120CFD40000-0x00000120CFD41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4424-33-0x00000120CFD40000-0x00000120CFD41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4424-34-0x00000120CFD40000-0x00000120CFD41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4424-35-0x00000120CFD40000-0x00000120CFD41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4424-36-0x00000120CFD40000-0x00000120CFD41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4424-37-0x00000120CFD40000-0x00000120CFD41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4424-31-0x00000120CFD40000-0x00000120CFD41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4424-32-0x00000120CFD40000-0x00000120CFD41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4424-27-0x00000120CFD40000-0x00000120CFD41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4424-26-0x00000120CFD40000-0x00000120CFD41000-memory.dmp
    Filesize

    4KB

    Download