Overview

overview

10

Static

static

HTG-874663.exe

windows7_x64

10

HTG-874663.exe

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    01-02-2021 07:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    HTG-874663.exe

  • Size

    839KB

  • MD5

    d9eb3af4ba1c40442d03c2e52c8294f9

  • SHA1

    dd42e5fd273166d03c4ba81f8a7c0dafe7bf14b5

  • SHA256

    b663f00658b56580c0eb28ef91864d9b672111bd20953a1ee81fcce3e3b2d5f6

  • SHA512

    e62a5471781e0ddd256edda8abcbdc39876a375043b5eebe3e1f4f737ac0f9893409bb669b69cdc06edfa104dbf3ad96de65080d46ee55a7c9927b913d189ed0

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.kpce-co.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    l9#Qg$:nwmC3

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spyware
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spyware
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\HTG-874663.exe
    "C:\Users\Admin\AppData\Local\Temp\HTG-874663.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\HTG-874663.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1908

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1908-8-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1908-9-0x000000000043747E-mapping.dmp

    Download

  • memory/1908-10-0x0000000074EE0000-0x00000000755CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1908-11-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1908-13-0x0000000004A30000-0x0000000004A31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1908-14-0x0000000004A31000-0x0000000004A32000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2032-2-0x0000000074EE0000-0x00000000755CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2032-3-0x0000000000F00000-0x0000000000F01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2032-5-0x0000000002520000-0x0000000002521000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2032-6-0x0000000000310000-0x0000000000314000-memory.dmp

    Filesize

    16KB

    Download

  • memory/2032-7-0x0000000005F50000-0x0000000006020000-memory.dmp

    Filesize

    832KB

    Download