Overview

overview

10

Static

static

z8WufQDmHPxb9FP.exe

windows7_x64

10

z8WufQDmHPxb9FP.exe

windows10_x64

10

Analysis

  • max time kernel
    299s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-07-2021 09:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    z8WufQDmHPxb9FP.exe

  • Size

    653KB

  • MD5

    bc7cbd5aae47693ebd6c19a9f6ae7976

  • SHA1

    376072c8e8c2aadd66b772ffb6f2094254818eb4

  • SHA256

    d4c6b6a00d510bba75da888a42569c72a43f2585b82b29e65298897d03285b76

  • SHA512

    cb35a62642d870d4cb7d52472bdc491cdf1efc4e0f57b374c0d0bd8b76a922a4ea7e66aed13c79b9ba2354a082b5ec34a09416fd90b848b297b96ca113c1ed8b

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    outback.websitewelcome.com
  • Port:
    587
  • Username:
    procc@ogenexblog24.com
  • Password:
    Thisyear2020

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\z8WufQDmHPxb9FP.exe
    "C:\Users\Admin\AppData\Local\Temp\z8WufQDmHPxb9FP.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FzvRCoQF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC4D.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1748
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:612
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 516
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1744
  • C:\Windows\system32\taskmgr.exe
    "C:\Windows\system32\taskmgr.exe" /4
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    PID:848

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpBC4D.tmp
    MD5

    60f760c4d1becf35bc16d75c9632637c

    SHA1

    a1f5e17aecd0b21f4afae777e52546d24735a7fa

    SHA256

    e78d53828010b7435f522cb634c0fcc7e2799498052b84c7204f51a75fd21b0c

    SHA512

    017d0b98e44577cff6557210ea24c3950f95a237fb513e08ed4e3317d9ecc35c339b3321dd66c74a13bafe2c0558907c0e923c61b111b6259459e737d8827241

    Download Submit
  • memory/612-64-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/612-65-0x0000000000436BBE-mapping.dmp
    Download
  • memory/612-67-0x0000000000550000-0x0000000000551000-memory.dmp
    Filesize

    4KB

    Download
  • memory/848-71-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1744-68-0x0000000000000000-mapping.dmp
    Download
  • memory/1744-70-0x0000000000420000-0x0000000000434000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1748-62-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-59-0x0000000075511000-0x0000000075513000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1988-60-0x0000000000B30000-0x0000000000B31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1988-61-0x0000000000B31000-0x0000000000B32000-memory.dmp
    Filesize

    4KB

    Download