Overview

overview

10

Static

static

3

DeathCrypt....0.exe

windows7-x64

10

DeathCrypt....0.exe

windows10-1703-x64

10

DeathCrypt....0.exe

windows10-2004-x64

10

DeathCrypt....0.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    30-06-2024 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DeathCrypter-0.7.0.exe

  • Size

    9.8MB

  • MD5

    e5b1ff36f9fca02f63e3de2fe4861b55

  • SHA1

    36e275dcf39a1a963ee0113af3e9f60e2a1a40f7

  • SHA256

    57ec4122db9efd9fb97b27b6844d2026fcb25333ef18f4f2a44d63ad301c7a80

  • SHA512

    bf43a7e5c839de792e756dc3ec75a9be8e779f57f7ab84f7e157aa796f7569045166e1fc889d014b0411501a4f3a4656a037fba78cf44d39b4b03b965bd8e09f

  • SSDEEP

    196608:t41mNygKiOPY+ZozEhjRS5jlFUMEEk1n9V4rdkACYnksmj4bsDgbC8VN0:t4Oy+OjkEhjQlFFha9WrmAmwbzCN

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DeathCrypter-0.7.0.exe
    "C:\Users\Admin\AppData\Local\Temp\DeathCrypter-0.7.0.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    PID:1468
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2912
  • C:\Windows\system32\browser_broker.exe
    C:\Windows\system32\browser_broker.exe -Embedding
    1⤵
    • Modifies Internet Explorer settings
    PID:4892
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2864
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3160
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Drops file in Windows directory
    • Modifies registry class
    PID:1224
  • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
    "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
    1⤵
    • Modifies registry class
    PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    Filesize

    4KB

    MD5

    1bfe591a4fe3d91b03cdf26eaacd8f89

    SHA1

    719c37c320f518ac168c86723724891950911cea

    SHA256

    9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

    SHA512

    02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

    Download Submit
  • C:\Users\Admin\AppData\Local\MicrosoftEdge\SharedCacheContainers\MicrosoftEdge_iecompat\IECompatData.xml
    Filesize

    74KB

    MD5

    d4fc49dc14f63895d997fa4940f24378

    SHA1

    3efb1437a7c5e46034147cbbc8db017c69d02c31

    SHA256

    853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

    SHA512

    cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

    Download Submit
  • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\4RJHRD2W\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit
  • memory/1224-69-0x000002D230A00000-0x000002D230B00000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/1224-74-0x000002D2411B0000-0x000002D2411B2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1224-76-0x000002D2411D0000-0x000002D2411D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1224-78-0x000002D2411F0000-0x000002D2411F2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1224-80-0x000002D241310000-0x000002D241312000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1224-95-0x000002D241520000-0x000002D241540000-memory.dmp
    Filesize

    128KB

    Download
  • memory/1224-89-0x000002D241960000-0x000002D241962000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1224-82-0x000002D2413D0000-0x000002D2413D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1468-8-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1468-6-0x000001C7D5B20000-0x000001C7D5BD0000-memory.dmp
    Filesize

    704KB

    Download
  • memory/1468-1-0x000001C7B9C60000-0x000001C7BB162000-memory.dmp
    Filesize

    21.0MB

    Download
  • memory/1468-2-0x000001C7BB680000-0x000001C7BB681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1468-52-0x000001C7D70F0000-0x000001C7D73FC000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1468-4-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1468-12-0x000001C7D5D40000-0x000001C7D5D7E000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1468-10-0x000001C7BCF60000-0x000001C7BCF82000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1468-9-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1468-0-0x00007FFA60383000-0x00007FFA60384000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1468-7-0x000001C7BB710000-0x000001C7BB722000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1468-264-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1468-5-0x000001C7D5910000-0x000001C7D5B22000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/1468-3-0x000001C7D57A0000-0x000001C7D5912000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1468-260-0x00007FFA60383000-0x00007FFA60384000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1468-261-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1468-263-0x00007FFA60380000-0x00007FFA60D6C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2912-29-0x0000026C3C820000-0x0000026C3C830000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2912-48-0x0000026C399D0000-0x0000026C399D2000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2912-318-0x0000026C44BD0000-0x0000026C44BD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2912-319-0x0000026C44BE0000-0x0000026C44BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2912-13-0x0000026C3C720000-0x0000026C3C730000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3160-58-0x000001A805300000-0x000001A805400000-memory.dmp
    Filesize

    1024KB

    Download