Overview

overview

10

Static

static

8

Fattura_01137434.xlsm

windows7_x64

1

Fattura_01137434.xlsm

windows10_x64

1

Fattura_01438445.xlsm

windows7_x64

1

Fattura_01438445.xlsm

windows10_x64

1

Fattura_01634446.xlsm

windows7_x64

1

Fattura_01634446.xlsm

windows10_x64

1

IMG_056_107_0282.exe

windows7_x64

10

IMG_056_107_0282.exe

windows10_x64

10

IMG_056_107_0282.xlsx

windows7_x64

8

IMG_056_107_0282.xlsx

windows10_x64

1

IMG_5018_330_92.exe

windows7_x64

10

IMG_5018_330_92.exe

windows10_x64

10

IMG_5018_330_92.xlsx

windows7_x64

8

IMG_5018_330_92.xlsx

windows10_x64

1

PI.exe

windows7_x64

10

PI.exe

windows10_x64

10

cks.exe

windows7_x64

10

cks.exe

windows10_x64

10

Scan_018819.exe

windows7_x64

10

Scan_018819.exe

windows10_x64

10

slot Charges.exe

windows7_x64

10

slot Charges.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    113s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    13-05-2021 21:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_5018_330_92.exe

  • Size

    723KB

  • MD5

    ad44d5764bd7ad4db1e725b66f01498e

  • SHA1

    2d64033647906613abfbe2da8176b768d88b9fd5

  • SHA256

    798cecbce0139e502fd6b23a7d147480d25a168d93131ba2e59f5b81ddbebb28

  • SHA512

    73b295ff876fdcee2ba8c3d2a71a479ac5aeda69d7d4b9f42067c98cafc954925309f2f2ebf4a110844466a03a163bd211a67fcd5aac8f56195bcdf69bbeba6a

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    sixjan.xyz
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    H^i?T2&gWQ({

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMG_5018_330_92.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG_5018_330_92.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Users\Admin\AppData\Local\Temp\IMG_5018_330_92.exe
      C:\Users\Admin\AppData\Local\Temp\IMG_5018_330_92.exe
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3936

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG_5018_330_92.exe.log
    MD5

    c31e50ab6f750c3bf7c953131e7d3b05

    SHA1

    2ef4f740564cb5c4b3009e9383910337f6f8d42e

    SHA256

    9c277f8f0f0efe176fdd520fda19e40d1900dc84e4f068c1ec33c68488bc0d56

    SHA512

    374ae5a6577e914e457d1d4f6439063de1b6d438279a02cae407753c4af01fb5ac1bc91eb25843905d04eebdefff34e9208bcd5e6d010d7594369a183a28bde9

    Download Submit

  • memory/2112-121-0x0000000006930000-0x0000000006931000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-116-0x00000000050C0000-0x00000000050C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-118-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-119-0x0000000004BC0000-0x00000000050BE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/2112-120-0x0000000006830000-0x00000000068A8000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2112-114-0x00000000003B0000-0x00000000003B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-122-0x0000000008B30000-0x0000000008B62000-memory.dmp

    Filesize

    200KB

    Download

  • memory/2112-117-0x0000000004D20000-0x0000000004D21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-124-0x00000000004375FE-mapping.dmp

    Download

  • memory/3936-123-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/3936-129-0x00000000053C0000-0x00000000053C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-130-0x00000000051F0000-0x00000000056EE000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/3936-131-0x0000000005E50000-0x0000000005E51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3936-132-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

    Filesize

    4KB

    Download