Automated Malware Analysis Report for ORDER 5211009876.Exe
Total Page:16
File Type:pdf, Size:1020Kb
ID: 386799 Sample Name: ORDER 5211009876.exe Cookbook: default.jbs Time: 20:09:05 Date: 14/04/2021 Version: 31.0.0 Emerald Table of Contents Table of Contents 2 Analysis Report ORDER 5211009876.exe 4 Overview 4 General Information 4 Detection 4 Signatures 4 Classification 4 Startup 4 Malware Configuration 4 Threatname: Agenttesla 4 Yara Overview 4 Memory Dumps 4 Unpacked PEs 5 Sigma Overview 5 System Summary: 5 Signature Overview 5 AV Detection: 5 System Summary: 5 Boot Survival: 5 Malware Analysis System Evasion: 6 HIPS / PFW / Operating System Protection Evasion: 6 Stealing of Sensitive Information: 6 Remote Access Functionality: 6 Mitre Att&ck Matrix 6 Behavior Graph 7 Screenshots 7 Thumbnails 7 Antivirus, Machine Learning and Genetic Malware Detection 8 Initial Sample 8 Dropped Files 8 Unpacked PE Files 8 Domains 8 URLs 9 Domains and IPs 10 Contacted Domains 10 URLs from Memory and Binaries 10 Contacted IPs 13 Public 14 General Information 14 Simulations 15 Behavior and APIs 15 Joe Sandbox View / Context 15 IPs 15 Domains 16 ASN 16 JA3 Fingerprints 16 Dropped Files 17 Created / dropped Files 17 Static File Info 18 General 18 File Icon 18 Static PE Info 18 General 19 Entrypoint Preview 19 Data Directories 20 Sections 21 Copyright Joe Security LLC 2021 Page 2 of 30 Resources 21 Imports 21 Version Infos 21 Network Behavior 21 Network Port Distribution 22 TCP Packets 22 UDP Packets 23 DNS Queries 23 DNS Answers 23 SMTP Packets 23 Code Manipulations 24 Statistics 24 Behavior 24 System Behavior 24 Analysis Process: ORDER 5211009876.exe PID: 3396 Parent PID: 5636 24 General 24 File Activities 25 File Created 25 File Deleted 25 File Written 25 File Read 27 Analysis Process: schtasks.exe PID: 6488 Parent PID: 3396 27 General 27 File Activities 28 File Read 28 Analysis Process: conhost.exe PID: 6504 Parent PID: 6488 28 General 28 Analysis Process: ORDER 5211009876.exe PID: 6540 Parent PID: 3396 28 General 28 Analysis Process: ORDER 5211009876.exe PID: 6588 Parent PID: 3396 28 General 28 File Activities 29 File Created 29 File Read 29 Disassembly 29 Code Analysis 29 Copyright Joe Security LLC 2021 Page 3 of 30 Analysis Report ORDER 5211009876.exe Overview General Information Detection Signatures Classification Sample ORDER 5211009876.exe Name: FFoouunndd maalllwwaarrree ccoonnfffiiigguurrraatttiiioonn Analysis ID: 386799 MFouuullltttniii dAA VmV SaSlcwcaaannrnene ecrrr o ddneeftittgeeucctrttiiaiootnino ffnfoorrr ddrrroopppp… MD5: f59b0f9d9b8a789… Muullltttiii AAVV SSccaannnneerrr ddeettteecctttiiioonn fffoorrr sdsuruobbpmp… SHA1: Ransomware e4835a1a2ec55c… Multi AV Scanner detection for subm SMSiiigugmlti aaA dVde eSttteecccatttneendde::: rSS dccehhteeddcuutilloleendd ftttoeerm sppu bfffiiimlllee… Miner Spreading SHA256: 0a873d72d161d2… YSYaiagrrmaa add eedtteetccettecetdde dAA:g gSeecnnhttTTeedesusllaaed temp file mmaallliiiccciiioouusss YYaarrraa ddeettteeccttteedd AAggeenntttTTeesslllaa malicious Tags: AgentTesla Evader Phishing sssuusssppiiiccciiioouusss YYaarrraa ddeettteeccttteedd AAngnttetiiiVnVMtT3e3sla suspicious Infos: cccllleeaann clean ..Y.NNaEEraTT dsseootuuerrrcctee dcc ooAddneet i cVcooMnn3tttaaiiinnss vveerrryy lllaarrrgg… Exploiter Banker Most interesting Screenshot: II.InNniiitEttiiiaaTlll ssaoamurpcplellee c iiisos d aae P PcEEo n fffiitilllaeei naasnn dvd e hhrayas sl a aar g … Spyware Trojan / Bot AgentTesla IIInnjjijeteicacttlts ss aa m PPpEEl e fffi iilillese iaiinn ttPtooE aa f fifflooerrr eaeiiniggdnn hpparrrosoc caee … Adware Score: 100 MInajaeccchhtisiinn eae LPLeEeaa frrrinlneiiin nigng t dode eattte efcocttrtiiieooinng nfffoo prrr r ddorrrcooepppp… Range: 0 - 100 Maacchhiiinnee LLeeaarrrnniiinngg ddeettteecctttiiioonn fffoorrr sdsaraomppp… Whitelisted: false QMuauecerrhriiieiensse s sLeeennassriiitnttiiivivneeg B BdIIIeOtSeSc IItIninofffonorr rmfoara ttstiiioaonmn …p Confidence: 100% Quueerrriiieess sseennssiiitttiiivvee nBneeIOtttwwSoo rrIrknk f aoadrdmaapapttteieorrr n iiin n… TQTrrruiiieessr i tettoos ddseetttneesccittt i svsaean nnddebbtowoxxoeersks aandndad p oottetthhre eirnrr… Startup TTrrriiieess tttoo hdhaearrtrvevecests ttst aanndd b ssotttexeaealsll P Pauuntttdtttyy o ///t hWeiiri… TTrrriiieess tttoo hhaarrrvveessttt aanndd ssttteeaalll bPbrrruootwtwyss /ee Wrrr iiinin… System is w10x64 TTrrriiieess tttoo hhaarrrvveessttt aanndd ssttteeaalll ffbftttprpo llwloogsgieiinnr cicn… ORDER 5211009876.exe (PID: 3396 cmdline: 'C:\Users\user\Desktop\ORDER 5211009876.exe' MD5: F59B0F9D9B8A789B7E3D4AB8E0CCF737) TTrrriiieess tttoo shsttateeraavllel Msta aaiiillln ccdrrr eesddteeannltt tiifiaatplllss l o(((vvgiiiaian fffciiilll… schtasks.exe (PID: 6488 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\uxWltWT' /XML 'C:\Users\user\AppData\Local\Temp\tmp1DBD.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04) UTUrssieess stsocc hshtttaeasasklk sMs...eeaxxile ec oroerrr d aaettt.n..eetxixaeel s ttt oo( v aaiadd ddfi l … conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) ORDER 5211009876.exe (PID: 6540 cmdline: C:\Users\user\Desktop\ORDER 521100AU9An8snt7tetiiiv6svii .irrrseuucxsshe oto aMrrr s MDksa5a.c:ec hFhxii5einn9 eeoB rLL 0aeeFtaa.9errrnDnxiiei9nn Bggto 8 dd Aaee7dtttee8dcc9 …B7E3D4AB8E0CCF737) ORDER 5211009876.exe (PID: 6588 cmdline: C:\Users\user\Desktop\ORDER 5211009876.exe MD5: F59B0F9D9B8A789B7E3D4AB8E0CCF737) CAConontnivtttaairiiiunnss occara pMpaaabbciiillhliiitttiiinieeess Ltttooe addreenttteienccgttt vdviieirrrtttueuaca… cleanup CCoonntttaaiiinnss ffcfuuannpccatttiibiooinlnitaaiellliiitsttyy t tottoo d aaecctcececests svs i lrllootuaaadd… CCoonntttaaiiinnss fffuunncctttiiioonnaallliiitttyy tttoo cacacallcllll e nnsaasttti iivlvoeea ffdf… CCoonntttaaiiinnss llflouonngcg t sisollleneeaeplpistsy ( ((t>>o== c 3a3 l ml niiinan))t)ive f Malware Configuration CCrroreenaattatteeinss s aa l oDDniiirrgree csctltteIIInneppuusttt (oo>bb=jjje e3cc ttmt (((oionffft)tteenn fffoo… CCrrreeaattteess aa pDprrrioroeccceetssInss p iiinun t s souubssjpepecentn d(doeefdtde mn ofoo… DCDereettteaectcettteesd da T TpCCroPPc oeorrsr sUU DiDnP Ps utttrrrsaapfffffefiiicnc dooennd nn moonno… Threatname: Agenttesla DDeettteeccttteedd pTpoCotttePen notttiiriaa Ulll ccDrrryPypp tttrooa fffufuicnn ccotttniiioo nnon DDrrerootpepscs t PePdEE p fffiioillleetessntial crypto function { "Exfil Mode": "SMTP", EDEnrnoaapbbslllee Pss E dd eefiblbeuusgg pprrriiivviiillleeggeess "SMTP Info": "[email protected]##smtp.vivaldi.net" } FEFonouaunbndlde asa hdhieiiggbhhu ngnu upmribvbeielerrr g ooefff s Wiiinnddooww /// UUss… FFoouunndd iiainn llhliiinnigeehdd nnuoompp biiinnessrtt trroruufc cWtttiiiooinndsso (((wllliiikk /ee Ulllyys… IIFIPPo auadndddr rrieensslisns essdee eennno piiinn i nccosotnnrnunecetcciotttiiiononsn (wwliikiitttheh l yoo… Yara Overview MIPaa ayyd ssdlllereeeespps ( ((seeevveaanssi iivivnee c lllooonopnpses))c) tttoio nhh iiinwndditeherr r o … Moaonyni iittstoolerrrsse pcce e(rrertttavaaiiinns irrrveeegg iilisosttotrrrypy s kk)ee tyyoss h /// i nvvadalelluur… Memory Dumps PMPEEo n fffiiilltleeo rccsoo cnnetttaartiiinansisn s srttetrrraganinsggtreey rrrkeeessyoosuu rr/rc cveeasslu QPEuue efrrirliiiee ssc ossenentnassiiniitttisiivv ese t prparrronocgcees srsseoosrrro iiiunnrfffocoerrrms aa… Source Rule Description Author Strings Quueerrriiieess ttsthheeen vsvoiotilllvuuem peer oiiinncfffeoosrrrmsoaartt tiiiononfno ((r(nmnaaam… 00000008.00000002.486705475.000000000040 JoeSecurity_AgentTesla_1 Yara detected Joe Security 2000.00000040.00000001.sdmp AgentTeslaSQSaaumerppielllees eethxxee ccvuuotttliiiuoomnn esst ttoionppfoss r wmwhhaiiitllleieo npp rrr(oonccaeem… 00000000.00000002.258890858.00000000028E JoeSecurity_AntiVM_3 Yara detected Joe Security SSaampplllee ffefiiillxleee iicissu ddtiiioiffffffnee rrrseetnonttpt ttsthh awannh ioloerrri iigpgiirinnoaacllel … 1000.00000004.00000001.sdmp AntiVM_3 00000008.00000002.493258053.000000000325 JoeSecurity_CredentialSte Yara detecUSUtesasdeme ssp 3l3e22 bfbiiliJitett o P PiesEE Sd fffieiiflllefceesusrreitnyt than original 1000.00000004.00000001.sdmp aler Credential Stealer UUsseess S3S2MbTTitP PP ((E(m faailieiilll sseennddiiinngg))) 00000000.00000002.260489955.00000000038E JoeSecurity_AgentTesla_1 Yara detected Joe Security 9000.00000004.00000001.sdmp AgentTeslaUUsseess cScooMddTee P oo b(bmfffuuassiccl aasttetiiioonnnd ittnteegcc)hhnniiiqquueess (((… Uses code obfuscation techniques ( Copyright Joe Security LLC 2021 Page 4 of 30 Source Rule Description Author Strings Process Memory Space: ORDER 5211009876.exe PID: 65 JoeSecurity_AgentTesla_1 Yara detected Joe Security 88 AgentTesla Click to see the 3 entries Unpacked PEs Source Rule Description Author Strings 0.2.ORDER 5211009876.exe.39f7c28.2.unpack JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla 0.2.ORDER 5211009876.exe.39f7c28.2.raw.unpack JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla 0.2.ORDER 5211009876.exe.290e030.1.raw.unpack JoeSecurity_AntiVM_3 Yara detected Joe Security AntiVM_3 8.2.ORDER 5211009876.exe.400000.0.unpack JoeSecurity_AgentTesla_1 Yara detected Joe Security AgentTesla Sigma Overview System Summary: Sigma detected: Scheduled temp file as task from temp location Signature Overview • AV Detection • Compliance • Software Vulnerabilities • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Boot Survival • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion