Overview

overview

10

Static

static

7ec490cadb...88.exe

windows7_x64

10

7ec490cadb...88.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ec490cadb46d941cf22039f839e5688.exe

  • Size

    476KB

  • MD5

    7ec490cadb46d941cf22039f839e5688

  • SHA1

    fe05ea713895882c0f80045e6b5eb3db15f97d12

  • SHA256

    71502c5ab4ccd1d224efd3ca833f145086a50805c7ca1f7cb48d9ea2f96ffd18

  • SHA512

    be9e01965465225605f77312d5ec7085dc8418b680db3272a226a3dec2b902f188748039edc179dc5254bdaba9a7c101bd48b4fff926e50dd909bc28fbab20c7

Score
10/10
agentteslacoreentitykeyloggerrezer0spywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.ecojett.co
  • Port:
    587
  • Username:
    ikeji@ecojett.co
  • Password:
    HZnUICj1

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • CoreEntity .NET Packer 1 IoCs

    A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

    coreentity
  • AgentTesla Payload 2 IoCs
  • rezer0 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ec490cadb46d941cf22039f839e5688.exe
    "C:\Users\Admin\AppData\Local\Temp\7ec490cadb46d941cf22039f839e5688.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:728
    • C:\Users\Admin\AppData\Local\Temp\7ec490cadb46d941cf22039f839e5688.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1344

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7ec490cadb46d941cf22039f839e5688.exe.log
    MD5

    179a315edc48c9f36389c2f6c6df7381

    SHA1

    eea81bdc49cdade53dbe305b9b6d1ed1226624ac

    SHA256

    8bc7fa3629a7470a1a58cd39660fa3f2387f620410560dbd337e809f102403b1

    SHA512

    12c6dabeb0d65e7e7966855a8c1efc8ac8580c206d451daa7e46b3d2e992da6195db16b6c3bb2c497de2352a485ac8f3e949b7e8b134e9860407d0c91f228a26

    Download Submit
  • memory/728-7-0x00000000056C0000-0x00000000056C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/728-1-0x0000000000770000-0x0000000000771000-memory.dmp
    Filesize

    4KB

    Download
  • memory/728-4-0x0000000005050000-0x0000000005052000-memory.dmp
    Filesize

    8KB

    Download
  • memory/728-5-0x00000000097D0000-0x00000000097D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/728-6-0x00000000055C0000-0x0000000005611000-memory.dmp
    Filesize

    324KB

    Download
  • memory/728-0-0x0000000073EE0000-0x00000000745CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/728-8-0x0000000005C60000-0x0000000005C61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/728-3-0x00000000076D0000-0x0000000007729000-memory.dmp
    Filesize

    356KB

    Download
  • memory/1344-9-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/1344-10-0x000000000044A49E-mapping.dmp
    Download
  • memory/1344-12-0x0000000073EE0000-0x00000000745CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1344-17-0x0000000005090000-0x0000000005091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1344-18-0x0000000005580000-0x0000000005581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1344-20-0x0000000006060000-0x0000000006061000-memory.dmp
    Filesize

    4KB

    Download