Overview

overview

10

Static

static

Default

windows10_x64

10

Analysis

  • max time kernel
    294s
  • max time network
    294s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    20-01-2021 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confirm Bank Details.exe

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    premium84.web-hosting.com
  • Port:
    587
  • Username:
    onyi@m3texsourcnig.com
  • Password:
    cashmoney.123

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe
    "C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3324
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oSECbve" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EC4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:940
    • C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe
      "{path}"
      2⤵
        PID:4016
      • C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe
        "{path}"
        2⤵
          PID:2744
        • C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe
          "{path}"
          2⤵
            PID:2820
          • C:\Users\Admin\AppData\Local\Temp\Confirm Bank Details.exe
            "{path}"
            2⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            PID:4036

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        System Information Discovery

        1
        T1082

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Confirm Bank Details.exe.log
          MD5

          b4f7a6a57cb46d94b72410eb6a6d45a9

          SHA1

          69f3596ffa027202d391444b769ceea0ae14c5f7

          SHA256

          23994ebe221a48ea16ebad51ae0d4b47ccd415ae10581f9405e588d4f6c2523b

          SHA512

          be6da516e54c3a5b33ac2603137a2f8cf8445ff5961dd266faedf3627bae8979953d7ef305538df0151c609917a5b99bf5d023bdd32de50fd5c723950f90db5c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\tmp1EC4.tmp
          MD5

          fc93b5598bfe51b6fab30f6965a9e937

          SHA1

          2227f24ce85044c5e4dd8db6c5599055d20ba6c9

          SHA256

          6d82c6aba0cf905509b5f5bd66a819e037438f08b22495050876120434fa1d72

          SHA512

          ce0fa5526fa13cad37a9825399ecb2c901a962f3e62513199aff270eed9814920be948d9cd68f385b9c890be8b97632504b3ebc36e5c9cff66093a653d5ab18e

          Download Submit
        • memory/940-13-0x0000000000000000-mapping.dmp
          Download
        • memory/3324-11-0x0000000005BC0000-0x0000000005C15000-memory.dmp
          Filesize

          340KB

          Download
        • memory/3324-6-0x000000000B7D0000-0x000000000B7D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3324-8-0x0000000005BB0000-0x0000000005BB1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3324-9-0x00000000059E0000-0x00000000059E1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3324-10-0x0000000005BA0000-0x0000000005BAE000-memory.dmp
          Filesize

          56KB

          Download
        • memory/3324-2-0x0000000073900000-0x0000000073FEE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3324-12-0x0000000005CE0000-0x0000000005CE1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3324-7-0x000000000B370000-0x000000000B371000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3324-5-0x0000000007F40000-0x0000000007FCC000-memory.dmp
          Filesize

          560KB

          Download
        • memory/3324-3-0x0000000000F00000-0x0000000000F01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4036-16-0x00000000004374EE-mapping.dmp
          Download
        • memory/4036-15-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/4036-18-0x0000000073900000-0x0000000073FEE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/4036-23-0x0000000005520000-0x0000000005521000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4036-24-0x0000000005830000-0x0000000005831000-memory.dmp
          Filesize

          4KB

          Download
        • memory/4036-25-0x0000000005FD0000-0x0000000005FD1000-memory.dmp
          Filesize

          4KB

          Download