Overview

overview

10

Static

static

f744296570...f4.exe

windows7_x64

10

f744296570...f4.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-07-2021 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f744296570d39e6ddddbe45030d989f4.exe

  • Size

    1.1MB

  • MD5

    f744296570d39e6ddddbe45030d989f4

  • SHA1

    3c1caa09abe1c23ac8e4ee426bee7ab4b76a6c31

  • SHA256

    9b0fd69ae3566f372e59db7964a9186d570aebf499d89294be290bfba0248fa4

  • SHA512

    61ac6f6139cbd9cff33aa2d037035f4fdf2522286eb27a63f9b76d59b5445370cb31ec44e45af52139ac5b32f91905cf32d60f8450f76aa7fd5088cbd62a4d37

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.cisburo.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Essaab1967#

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f744296570d39e6ddddbe45030d989f4.exe
    "C:\Users\Admin\AppData\Local\Temp\f744296570d39e6ddddbe45030d989f4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lUNThbzNxoZyoj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp33AE.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1472
    • C:\Users\Admin\AppData\Local\Temp\f744296570d39e6ddddbe45030d989f4.exe
      "C:\Users\Admin\AppData\Local\Temp\f744296570d39e6ddddbe45030d989f4.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp33AE.tmp
    MD5

    509a253ef9f2dcf7e205bcce8dd0be4f

    SHA1

    842c5320e63c3c10d0aa0621538752adc5c2b688

    SHA256

    99cf8c405655e97b0c60bdf79df6fe59dc5cb4291bd9824c2cdc77986d6a4a75

    SHA512

    3eb58bdead4d31aeb431c5e700ca6c90cfa07315f5bbb501bd7f72c2126a6ee0e943f352379426b33ace2d577ed71925f2c663af1647d0da3fe6ed0a670400c4

    Download Submit

  • memory/1472-65-0x0000000000000000-mapping.dmp

    Download

  • memory/1900-67-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1900-68-0x00000000004375EE-mapping.dmp

    Download

  • memory/1900-69-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1900-71-0x0000000000D00000-0x0000000000D01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1984-59-0x0000000001330000-0x0000000001331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1984-61-0x0000000000C50000-0x0000000000C51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1984-62-0x0000000000240000-0x000000000025B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/1984-63-0x0000000005DD0000-0x0000000005E52000-memory.dmp

    Filesize

    520KB

    Download

  • memory/1984-64-0x0000000000BD0000-0x0000000000C0D000-memory.dmp

    Filesize

    244KB

    Download