Overview

overview

10

Static

static

SecuriteIn...62.exe

windows7_x64

10

SecuriteIn...62.exe

windows10_x64

10

Analysis

  • max time kernel
    111s
  • max time network
    109s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    22-01-2021 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe

  • Size

    39KB

  • MD5

    093581879b31e72cb9f58572e92a326b

  • SHA1

    79f62189cca9d966bf5fa783f54d6ad9032fe820

  • SHA256

    7284ce088723465f101b804f22a27e235f6ae8148dd1120508e3fed43348ed54

  • SHA512

    8440c62ca7cb060deea4c96c6957fd59d29c4617acae5b9c6e284caae2610d80ed107bfab765a3c5e010e3744cf6a8b150f633319f8731f142937b05a9a75d6a

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.sardaplywood.com
  • Port:
    587
  • Username:
    superstars@sardaplywood.com
  • Password:
    sup123st45

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 7 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 35 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1812
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe"
      2⤵
        PID:1604
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1432
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:112
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe"
        2⤵
          PID:280
        • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe
          "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.nm.26462.exe"
          2⤵
            PID:1956

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Persistence

        Privilege Escalation

        Defense Evasion

        Credential Access

        Credentials in Files

        3
        T1081

        Discovery

        Lateral Movement

        Collection

        Data from Local System

        3
        T1005

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/112-30-0x00000000009D0000-0x00000000009D1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/112-16-0x0000000073E00000-0x00000000744EE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/112-14-0x000000000043768E-mapping.dmp
          Download
        • memory/280-20-0x000000000043768E-mapping.dmp
          Download
        • memory/1432-12-0x0000000073E00000-0x00000000744EE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1432-32-0x0000000004AA1000-0x0000000004AA2000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1432-29-0x0000000004AA0000-0x0000000004AA1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1432-11-0x000000000043768E-mapping.dmp
          Download
        • memory/1604-8-0x000000000043768E-mapping.dmp
          Download
        • memory/1604-15-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/1604-10-0x0000000073E00000-0x00000000744EE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1604-7-0x0000000000400000-0x000000000043C000-memory.dmp
          Filesize

          240KB

          Download
        • memory/1604-31-0x0000000004A00000-0x0000000004A01000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1812-2-0x0000000073E00000-0x00000000744EE000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/1812-23-0x00000000004C0000-0x00000000004C1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1812-6-0x0000000004B70000-0x0000000004BCC000-memory.dmp
          Filesize

          368KB

          Download
        • memory/1812-5-0x0000000004050000-0x0000000004051000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1812-3-0x0000000000060000-0x0000000000061000-memory.dmp
          Filesize

          4KB

          Download
        • memory/1956-26-0x000000000043768E-mapping.dmp
          Download
        • memory/1956-27-0x0000000073E00000-0x00000000744EE000-memory.dmp
          Filesize

          6.9MB

          Download