Overview

overview

10

Static

static

ITM inspec...ge.exe

windows7_x64

10

ITM inspec...ge.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    01-02-2021 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ITM inspection time change.exe

  • Size

    573KB

  • MD5

    507b34df703d6b225425e3818bc5f1e0

  • SHA1

    e82bc803194cc2fe5fa56193acdb6183eaecf7cd

  • SHA256

    b0ae0cf3460d2a354e39765626ec1059dbcc3d7cb7764abdeaa0790c3e6f574c

  • SHA512

    6abead02a54a22ee48676df616b1a06ed2efbdf452461f97a2f4cdfd83ae264deb8a91fa7de5766d3a698ce4c7395df1464b5699c587f2002ccc6af54c4feac4

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    PfV^BQW2

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ITM inspection time change.exe
    "C:\Users\Admin\AppData\Local\Temp\ITM inspection time change.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "{path}"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3136

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3136-12-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3136-24-0x0000000005631000-0x0000000005632000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3136-21-0x0000000006100000-0x0000000006101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3136-20-0x0000000005980000-0x0000000005981000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3136-19-0x0000000005630000-0x0000000005631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3136-14-0x0000000073430000-0x0000000073B1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3136-13-0x00000000004375DE-mapping.dmp

    Download

  • memory/4692-7-0x00000000056F0000-0x00000000056F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4692-11-0x00000000062E0000-0x00000000062E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4692-10-0x00000000061C0000-0x0000000006223000-memory.dmp

    Filesize

    396KB

    Download

  • memory/4692-9-0x00000000057A0000-0x00000000057A4000-memory.dmp

    Filesize

    16KB

    Download

  • memory/4692-8-0x0000000005540000-0x0000000005541000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4692-2-0x0000000073430000-0x0000000073B1E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/4692-6-0x0000000005580000-0x0000000005581000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4692-5-0x00000000059C0000-0x00000000059C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4692-3-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

    Filesize

    4KB

    Download