Overview

overview

10

Static

static

SecuriteIn...60.exe

windows7_x64

10

SecuriteIn...60.exe

windows10_x64

10

Analysis

  • max time kernel
    67s
  • max time network
    29s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    05-12-2020 11:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe

  • Size

    828KB

  • MD5

    2bdefd73dd2bb3c79fb31f58b979c497

  • SHA1

    3df7f884fcaf945946443a451ddd5e8170dc6ca7

  • SHA256

    68b03caba912a93057cc47618982c7c33ec41ccc1ab853b2e0d7483a383df603

  • SHA512

    f8097b3ec587abb29f8eb0df75cc70e9ebf7e5a997827571dceeadc1fd63bf58a56a22717877cfd4625035d9be036ee4b61def76d6cf2c4080cd10e4b15fa335

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.soin3.com
  • Port:
    587
  • Username:
    mojo@soin3.com
  • Password:
    icui4cu2@@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"
      2⤵
        PID:1412
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Agent.EZWQ.26739.4560.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1368

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
      MD5

      ffe49d7f3dfb6964aa7d8da1e91dffac

      SHA1

      2d573696f21f06b91d4bc0c371f7b89e0f940887

      SHA256

      5a517ee191b151185f684b5fd6b5d48cd43f06306766c27ca024513b55e21da9

      SHA512

      df2a1ea3b0df4c48178ff8c5fed6bba385dc70f63778aa6fb7e50497c64f1deef27e11139948f8f9f63e052ae1b5cbccfa6a6193a9afc4c088d18f1a0f94f6f3

      Download Submit
    • memory/1368-6-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1368-7-0x000000000043722E-mapping.dmp
      Download
    • memory/1368-8-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1368-9-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download