Overview

overview

10

Static

static

3

1669d57e8c...0b.exe

windows7-x64

10

1669d57e8c...0b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    4s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe

  • Size

    2.2MB

  • MD5

    31cbb0ad4fbff526978c68212a36fb90

  • SHA1

    d5cbdd8f03037a73dd40c0819498c969ae5b9102

  • SHA256

    1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b

  • SHA512

    3f8e80aa86d486eacf4336b6a0a8f9c997de33a7ae1da5a1637e99fc168e0c4c8c1a9324b3c9bb69ce74d3529a881931234f45764d8f46810d820fb5629414a5

  • SSDEEP

    49152:eF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUCeaw1GANOmJA:croA7P/YJ

Score
10/10
agentteslaredlinexwormfozexecutioninfostealerkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

195.10.205.94:7725

Mutex

rliv2fMggtmcxYMM

Attributes
  • Install_directory

    %AppData%

  • install_file

    XClient.exe

aes.plain

Extracted

Family

agenttesla

Credentials

Extracted

Family

redline

Botnet

foz

C2

209.90.234.57:1913

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect Xworm Payload 3 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Looks up external IP address via web service 5 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe
    "C:\Users\Admin\AppData\Local\Temp\1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1688
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"
      2⤵
        PID:2300
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2708
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          PID:2732
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CasPol.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          PID:2760
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          PID:2768
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
          3⤵
          • Command and Scripting Interpreter: PowerShell
          PID:2692

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Initial Access

    Execution

    Command and Scripting Interpreter

    1
    T1059

    PowerShell

    1
    T1059.001

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Resource Development

    Reconnaissance

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      68995f5bd2f6581dd7c7288b1547ba86

      SHA1

      3b1c8a2ca8215cc78e5017a80cc898f310d16857

      SHA256

      0b379f3a872af073da85e5bfdea1140c028c15da5144326be7525d092ef0076a

      SHA512

      43ee7654d781834ffd3a6c8b9529e37dbbad235b5ed90135d836ebc13daceaa6f9ce87d51a7ec754b6630ea1b40b8b061e7966a6ed775f8601666b4b0e1bfd7f

      Download Submit
    • memory/2708-3-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2708-5-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2708-6-0x000000007434E000-0x000000007434F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2708-1-0x0000000000400000-0x0000000000410000-memory.dmp
      Filesize

      64KB

      Download
    • memory/2708-25-0x0000000074340000-0x0000000074A2E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2708-26-0x0000000005060000-0x00000000050A2000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2708-27-0x00000000067C0000-0x0000000006812000-memory.dmp
      Filesize

      328KB

      Download
    • memory/2708-28-0x00000000068B0000-0x00000000068F4000-memory.dmp
      Filesize

      272KB

      Download
    • memory/2708-29-0x000000007434E000-0x000000007434F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2708-30-0x0000000074340000-0x0000000074A2E000-memory.dmp
      Filesize

      6.9MB

      Download