Overview

overview

10

Static

static

yl9KgwwOXDZoGMw.exe

windows7_x64

10

yl9KgwwOXDZoGMw.exe

windows10_x64

10

Analysis

  • max time kernel
    136s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    11-05-2021 12:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yl9KgwwOXDZoGMw.exe

  • Size

    906KB

  • MD5

    798cb8a4ceae24a7a2fd213deb85a107

  • SHA1

    3d7ec487833c318b475818cf771c2af165b6d82b

  • SHA256

    f076d51c4fa09d0e318d43f41560fa50b8c4a4f327effa8aeafedf947800e4d8

  • SHA512

    22dab34cf8ff46cc419705e4ab50929eeca9b20361f8716fea5d578c0e0a1e27e6a0d7c27a15a62d9923ca534b2e72c5aab49d66fd3f4e46d57cb3d6e5ca4532

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    ken@kengrouco.xyz
  • Password:
    Everest10

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe
    "C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4044
    • C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe
      "C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe"
      2⤵
        PID:208
      • C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe
        "C:\Users\Admin\AppData\Local\Temp\yl9KgwwOXDZoGMw.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1116

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\yl9KgwwOXDZoGMw.exe.log
      MD5

      5e7bb97636a484b5a87e60373614279a

      SHA1

      36bfdec32eedb141a4a106d89a453326f62593ee

      SHA256

      12ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20

      SHA512

      448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56

      Download Submit
    • memory/1116-115-0x0000000000400000-0x000000000043C000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1116-116-0x000000000043767E-mapping.dmp
      Download
    • memory/1116-118-0x00000000014A0000-0x00000000014A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1116-119-0x00000000014A1000-0x00000000014A2000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4044-114-0x0000000002D30000-0x0000000002D31000-memory.dmp
      Filesize

      4KB

      Download