Overview

overview

10

Static

static

yl9KgwwOXDZoGMw.exe

windows7_x64

10

yl9KgwwOXDZoGMw.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    11-05-2021 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yl9KgwwOXDZoGMw.exe

  • Size

    906KB

  • MD5

    798cb8a4ceae24a7a2fd213deb85a107

  • SHA1

    3d7ec487833c318b475818cf771c2af165b6d82b

  • SHA256

    f076d51c4fa09d0e318d43f41560fa50b8c4a4f327effa8aeafedf947800e4d8

  • SHA512

    22dab34cf8ff46cc419705e4ab50929eeca9b20361f8716fea5d578c0e0a1e27e6a0d7c27a15a62d9923ca534b2e72c5aab49d66fd3f4e46d57cb3d6e5ca4532

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    ken@kengrouco.xyz
  • Password:
    Everest10

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe
    "C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:456
    • C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe
      "C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1284
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 520
        3⤵
          PID:568

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/456-60-0x0000000075591000-0x0000000075593000-memory.dmp
      Filesize

      8KB

      Download
    • memory/456-61-0x00000000009F0000-0x00000000009F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/456-62-0x00000000009F1000-0x00000000009F2000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-67-0x0000000000000000-mapping.dmp
      Download
    • memory/568-69-0x00000000004C0000-0x00000000004C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1284-63-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1284-64-0x000000000043767E-mapping.dmp
      Download
    • memory/1284-66-0x0000000002470000-0x0000000002471000-memory.dmp
      Filesize

      4KB

      Download