Overview

overview

10

Static

static

pd9EeXdsQtNb3dQ.exe

windows7_x64

10

pd9EeXdsQtNb3dQ.exe

windows10_x64

10

Analysis

  • max time kernel
    142s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    04-05-2021 15:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pd9EeXdsQtNb3dQ.exe

  • Size

    2.2MB

  • MD5

    3dad3d4918e28ded77c3e2e93a42665f

  • SHA1

    8b16dba4992b75a303f63a09d8a41ac99f28ce5c

  • SHA256

    1b61b157db50652678e1e288cfce86f6c74e40f50a468f6d04d0010c84235210

  • SHA512

    57173561296c538c174c3299ea6b64156c48977d8f958f86f14578d4a630ea80e7b6b890e6d1a21f94a1d556173db442b953b685de910f25d886cdeda88b3132

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.iykmoreentrprise.org
  • Port:
    587
  • Username:
    office5@iykmoreentrprise.org
  • Password:
    rwkWCM328

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe
    "C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe
      "C:\Users\Admin\AppData\Local\Temp\pd9EeXdsQtNb3dQ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/368-65-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/368-66-0x00000000004375FE-mapping.dmp
    Download
  • memory/368-67-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/368-69-0x0000000004D00000-0x0000000004D01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1104-59-0x0000000001240000-0x0000000001241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1104-61-0x0000000004F80000-0x0000000004F81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1104-62-0x0000000000640000-0x000000000064E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1104-63-0x00000000051C0000-0x000000000523C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/1104-64-0x0000000000C80000-0x0000000000CBE000-memory.dmp
    Filesize

    248KB

    Download