Overview

overview

10

Static

static

1

SecuriteIn...74.exe

windows7_x64

7

SecuriteIn...74.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    21-04-2021 12:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Troj.Kryptik-VJ.3407.30574.exe

  • Size

    315KB

  • MD5

    3a692065da4431a90f59c2a7bc08ea05

  • SHA1

    5a14506f1e4768cf38415efa74b63ee9c4d35d4a

  • SHA256

    54cbf563334d886d981722181262d0b4d789d401e01c144001f7920cec661a65

  • SHA512

    1a38dbb8d13d78bba2bf03b4481bc13d559b19bf0923075f2970331590668caed79e15256cd7e0d4f5ba783e887f421db3b87e8ec395c4f08ae81b2e7dc27063

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.privateemail.com
  • Port:
    587
  • Username:
    eammorris@askoblue.com
  • Password:
    zQHG#uz5

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Kryptik-VJ.3407.30574.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Kryptik-VJ.3407.30574.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Kryptik-VJ.3407.30574.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4012

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsm25FE.tmp\t28svw3v.dll
    MD5

    d3dade7ac09d859215e1ad349d12be2d

    SHA1

    6418cb6d299e6da99197aa86b6b908b0bdf791c8

    SHA256

    ab2c41237f270cb933223e0ec8d0c419ee3dc962fd0ce0687dddb5335cbb0d0a

    SHA512

    423c7e6bd7ea66f0b098a0383307e5a680da89b881d85e495bf632112e802ac049d46ff57264f12a371a546e4e77526019b4c0698ae8bed97197baeea9f4f61d

    Download Submit
  • memory/3680-115-0x0000000002830000-0x0000000002831000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3680-116-0x0000000002831000-0x0000000002836000-memory.dmp
    Filesize

    20KB

    Download
  • memory/4012-117-0x000000000043761E-mapping.dmp
    Download
  • memory/4012-118-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4012-120-0x0000000005320000-0x0000000005321000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4012-121-0x0000000004EC0000-0x0000000004EC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4012-122-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4012-123-0x0000000004E70000-0x0000000004E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4012-124-0x0000000005B10000-0x0000000005B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4012-125-0x00000000061A0000-0x00000000061A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4012-126-0x0000000005CC0000-0x0000000005CC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4012-127-0x0000000004CB1000-0x0000000004CB2000-memory.dmp
    Filesize

    4KB

    Download