Overview

overview

10

Static

static

65e86fe236...11.exe

windows7_x64

10

65e86fe236...11.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    114s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    04-12-2020 19:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    65e86fe236bbdf389af34b2e8cf8f211.exe

  • Size

    915KB

  • MD5

    65e86fe236bbdf389af34b2e8cf8f211

  • SHA1

    f7d881dd7cfa27338c8bd4d820da737c8175eb58

  • SHA256

    683478f861e01bef5ec49d9ecdeaafd9c156811fc2e7b0acf28f2c9ea0d0fcc1

  • SHA512

    dd46add7f78d2b2c76c2dc3b6519726650689a5cf88fc32235ad45ccc4a8fba16ca15aa0248ab2dda5b40568d274b0192e914a5733031270c2b3052fea66f6b5

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.andms-kr.com
  • Port:
    587
  • Username:
    and@andms-kr.com
  • Password:
    kingwipper123

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe
    "C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:744
    • C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe
      "C:\Users\Admin\AppData\Local\Temp\65e86fe236bbdf389af34b2e8cf8f211.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:696

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\65e86fe236bbdf389af34b2e8cf8f211.exe.log
    MD5

    65f1f0c7993639f9f9e1d524224a2c93

    SHA1

    5b51a6a56f3041dbc2d3f510252bbe68ffbbc59c

    SHA256

    e582e80a644a998d1b2958bdcb0cd1e899076befa7c5e868d033b3fe75a2ca93

    SHA512

    3e8953968bbc31f3105a0df28b95edfb4cee8af78ec527d47707b82e3d5fc2aa725fca574de3c963da53614e60d282408b21d075eed007be25679e9458bf1c23

    Download Submit
  • memory/696-16-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/696-25-0x00000000063B0000-0x00000000063B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/696-24-0x0000000005860000-0x0000000005861000-memory.dmp
    Filesize

    4KB

    Download
  • memory/696-19-0x0000000073A20000-0x000000007410E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/696-17-0x000000000043750E-mapping.dmp
    Download
  • memory/744-7-0x0000000004DF0000-0x0000000004DF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/744-10-0x00000000057F0000-0x00000000057F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/744-11-0x0000000026530000-0x0000000046518000-memory.dmp
    Filesize

    511.9MB

    Download
  • memory/744-12-0x00000000469C0000-0x0000000046A17000-memory.dmp
    Filesize

    348KB

    Download
  • memory/744-13-0x0000000004FA0000-0x0000000004FA8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/744-15-0x0000000046A20000-0x0000000046A59000-memory.dmp
    Filesize

    228KB

    Download
  • memory/744-9-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/744-8-0x0000000002850000-0x0000000002851000-memory.dmp
    Filesize

    4KB

    Download
  • memory/744-2-0x0000000073A20000-0x000000007410E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/744-6-0x00000000052F0000-0x00000000052F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/744-5-0x0000000004D50000-0x0000000004D51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/744-3-0x0000000000390000-0x0000000000391000-memory.dmp
    Filesize

    4KB

    Download