Overview

overview

10

Static

static

be39908fb0...23.exe

windows7_x64

10

be39908fb0...23.exe

windows10_x64

10

Analysis

  • max time kernel
    143s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    20-04-2021 12:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be39908fb0cae5cdbbb7982a6ace4f23.exe

  • Size

    1.0MB

  • MD5

    be39908fb0cae5cdbbb7982a6ace4f23

  • SHA1

    f19fd7e8c80393e59ab19954d7b67b8323c0496e

  • SHA256

    282b5d50f956c8ac1dea9080f1ba21129ce937a6d234fad62e17136509ac5166

  • SHA512

    8a1aa9de76754a21736ab83fb3b98d9cffb49dbb2e60f21092c64d09debcb08ff912352f1df641e36943fd257e7c88fcc11f71479baf825c747b5bca25268c9b

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.scrablex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Chisom123.

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe
    "C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe
      "C:\Users\Admin\AppData\Local\Temp\be39908fb0cae5cdbbb7982a6ace4f23.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3240

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\be39908fb0cae5cdbbb7982a6ace4f23.exe.log
    MD5

    65f1f0c7993639f9f9e1d524224a2c93

    SHA1

    5b51a6a56f3041dbc2d3f510252bbe68ffbbc59c

    SHA256

    e582e80a644a998d1b2958bdcb0cd1e899076befa7c5e868d033b3fe75a2ca93

    SHA512

    3e8953968bbc31f3105a0df28b95edfb4cee8af78ec527d47707b82e3d5fc2aa725fca574de3c963da53614e60d282408b21d075eed007be25679e9458bf1c23

    Download Submit

  • memory/2188-123-0x0000000005D70000-0x0000000005D79000-memory.dmp

    Filesize

    36KB

    Download

  • memory/2188-120-0x0000000004F30000-0x0000000004F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-124-0x000000007F110000-0x000000007F111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-119-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-125-0x0000000006030000-0x00000000060B5000-memory.dmp

    Filesize

    532KB

    Download

  • memory/2188-121-0x0000000005710000-0x0000000005711000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-122-0x0000000004D10000-0x000000000520E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2188-126-0x0000000000C30000-0x0000000000C7B000-memory.dmp

    Filesize

    300KB

    Download

  • memory/2188-118-0x0000000004D10000-0x0000000004D11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-117-0x0000000005210000-0x0000000005211000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-114-0x00000000002D0000-0x00000000002D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-116-0x0000000004C70000-0x0000000004C71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-127-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3240-128-0x00000000004375DE-mapping.dmp

    Download

  • memory/3240-133-0x0000000005310000-0x000000000580E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3240-135-0x0000000005770000-0x0000000005771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3240-136-0x0000000006000000-0x0000000006001000-memory.dmp

    Filesize

    4KB

    Download