Overview

overview

10

Static

static

65e86fe236...11.exe

windows7_x64

10

65e86fe236...11.exe

windows10_x64

10

Analysis

  • max time kernel
    102s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-12-2020 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65e86fe236bbdf389af34b2e8cf8f211.exe

  • Size

    915KB

  • MD5

    65e86fe236bbdf389af34b2e8cf8f211

  • SHA1

    f7d881dd7cfa27338c8bd4d820da737c8175eb58

  • SHA256

    683478f861e01bef5ec49d9ecdeaafd9c156811fc2e7b0acf28f2c9ea0d0fcc1

  • SHA512

    dd46add7f78d2b2c76c2dc3b6519726650689a5cf88fc32235ad45ccc4a8fba16ca15aa0248ab2dda5b40568d274b0192e914a5733031270c2b3052fea66f6b5

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.andms-kr.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    kingwipper123

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe
    "C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe
      "C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe"
      2⤵
        PID:276
      • C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe
        "C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe"
        2⤵
          PID:784
        • C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe
          "C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:996

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/996-10-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/996-11-0x000000000043750E-mapping.dmp
        Download
      • memory/996-12-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/996-13-0x0000000000400000-0x000000000043C000-memory.dmp
        Filesize

        240KB

        Download
      • memory/996-14-0x0000000073F40000-0x000000007462E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1744-2-0x0000000073F40000-0x000000007462E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/1744-3-0x0000000000A70000-0x0000000000A71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1744-5-0x0000000025780000-0x0000000045768000-memory.dmp
        Filesize

        511.9MB

        Download
      • memory/1744-6-0x0000000004D00000-0x0000000004D57000-memory.dmp
        Filesize

        348KB

        Download
      • memory/1744-7-0x00000000006D0000-0x00000000006D8000-memory.dmp
        Filesize

        32KB

        Download
      • memory/1744-9-0x0000000045770000-0x00000000457A9000-memory.dmp
        Filesize

        228KB

        Download