Overview

overview

10

Static

static

SecuriteIn...59.exe

windows7_x64

10

SecuriteIn...59.exe

windows10_x64

10

Analysis

  • max time kernel
    109s
  • max time network
    118s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-01-2021 11:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe

  • Size

    2.0MB

  • MD5

    3c68883aec0f8998e92336eb1e4a5dfc

  • SHA1

    55f2c9c5622104af60bbdfdb50614d3add1cf83d

  • SHA256

    83ed44db03acc4abfb655a211c01e03c56bab2a016e603de64aeeb0bca8a77ca

  • SHA512

    530e1c300677f8a8dade7dbc1b15abef0974a935255c5739f720f000c2b1931cf0f7eaf7837d4630a920d2e674023abc699f8ccf325c0de4e7ce1846bfe78806

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.owlpk.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    786owlacc?

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.owlpk.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    786owlacc?

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Turns off Windows Defender SpyNet reporting 2 TTPs
    evasion
  • Windows security bypass 2 TTPs
    evasiontrojan
  • AgentTesla Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Windows security modification 2 TTPs 10 IoCs
    evasiontrojan
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3116
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"
      2⤵
      • Windows security modification
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2272
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe" -Force
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2716
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1172

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Disabling Security Tools

3
T1089

Modify Registry

3
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.BehavesLike.Win32.Generic.tz.259.exe.log
    MD5

    4d710ca9c563bbb76bb29b87d5d64282

    SHA1

    2b1271f68a5d18e1c1bb08800a9cc9464e8a81ad

    SHA256

    6c7ac5cff014a13315b8813524bbd14471f1ab7aac691be94d4d4f28e4cd2de4

    SHA512

    873c9ee04e4f8d23f8cf90ffea89a362e8eda43c0cfc6bb47442f93e0add8794c004081350cfbd7cfaed6d101582287b26a00951d4019dfb466f21514e5d90d6

    Download Submit
  • memory/1172-62-0x00000000057E1000-0x00000000057E2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-58-0x0000000005B80000-0x0000000005B81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-53-0x00000000057E0000-0x00000000057E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1172-48-0x0000000073840000-0x0000000073F2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1172-47-0x000000000043779E-mapping.dmp
    Download
  • memory/1172-46-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2272-23-0x0000000005710000-0x0000000005711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2272-10-0x0000000010000000-0x000000001004E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/2272-11-0x0000000010049EFE-mapping.dmp
    Download
  • memory/2272-13-0x0000000073840000-0x0000000073F2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2716-27-0x0000000007420000-0x0000000007421000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-34-0x00000000089A0000-0x00000000089D3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/2716-20-0x0000000073840000-0x0000000073F2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2716-22-0x0000000006B40000-0x0000000006B41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-21-0x0000000004100000-0x0000000004101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-56-0x0000000008E50000-0x0000000008E51000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-24-0x0000000004160000-0x0000000004161000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-25-0x0000000004162000-0x0000000004163000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-26-0x0000000007280000-0x0000000007281000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-54-0x0000000008E60000-0x0000000008E61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-28-0x00000000071F0000-0x00000000071F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-29-0x0000000007550000-0x0000000007551000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-30-0x0000000007400000-0x0000000007401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-31-0x0000000007960000-0x0000000007961000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-32-0x0000000007B90000-0x0000000007B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-19-0x0000000000000000-mapping.dmp
    Download
  • memory/2716-41-0x0000000008980000-0x0000000008981000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-42-0x0000000008AF0000-0x0000000008AF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-43-0x0000000008EB0000-0x0000000008EB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-44-0x000000007F060000-0x000000007F061000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2716-45-0x0000000004163000-0x0000000004164000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3116-9-0x0000000005660000-0x0000000005661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3116-8-0x0000000007000000-0x0000000007001000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3116-7-0x0000000005840000-0x0000000005841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3116-6-0x00000000056E0000-0x00000000056E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3116-2-0x0000000073840000-0x0000000073F2E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3116-18-0x0000000005170000-0x0000000005171000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3116-5-0x0000000005B00000-0x0000000005B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3116-3-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
    Filesize

    4KB

    Download