Overview

overview

10

Static

static

fda.exe

windows7_x64

10

fda.exe

windows10_x64

10

Analysis

  • max time kernel
    139s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-07-2021 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fda.exe

  • Size

    909KB

  • MD5

    9988685bdb69c34939c270df2eff6d47

  • SHA1

    b4aa67fe963f14a8ac6220d8953960a86d7bcdd1

  • SHA256

    f367ab08d8884ebda2ca7101fa509d1216f66c9e788d1b729ce605959f2f57ca

  • SHA512

    c535fec6cffebc266858e46d6ef8b6405a2ac9e50d946d40faf64131eb866611d32b1d9906c70923f075d00e2e88c74afb284d198277c4ef0abaaa24ff9ded7b

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.vivaldi.net
  • Port:
    587
  • Username:
    faithkingsley@vivaldi.net
  • Password:
    kingsofkings123

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fda.exe
    "C:\Users\Admin\AppData\Local\Temp\fda.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:776
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XwsFwyhNyFwyE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDFA7.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2124
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Drops file in Drivers directory
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3820

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDFA7.tmp
    MD5

    153e86c8b27e44232359812a3e52cbb4

    SHA1

    f5d8430fbffd44992228740e4a857f4ae20cb947

    SHA256

    6475d0d31ec237b57c756796ab0a1cefe53279de62fa80bc069719dcce17c248

    SHA512

    d6ff85c1424d12f384df870629a72a8c75600110adb8a71d5bc1e9a80fab2b94370c67a5186f7a035755413876d723e07a4abe92db2bb501460d8e8b3b94aa13

    Download Submit
  • memory/776-123-0x000000000A040000-0x000000000A0B2000-memory.dmp
    Filesize

    456KB

    Download
  • memory/776-116-0x00000000055B0000-0x00000000055B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-118-0x00000000050B0000-0x00000000055AE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/776-119-0x00000000050E0000-0x00000000050E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-114-0x00000000007B0000-0x00000000007B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-121-0x0000000005240000-0x0000000005242000-memory.dmp
    Filesize

    8KB

    Download
  • memory/776-117-0x0000000005150000-0x0000000005151000-memory.dmp
    Filesize

    4KB

    Download
  • memory/776-122-0x00000000073F0000-0x00000000074A6000-memory.dmp
    Filesize

    728KB

    Download
  • memory/776-120-0x0000000007760000-0x0000000007761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2124-124-0x0000000000000000-mapping.dmp
    Download
  • memory/3820-126-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/3820-127-0x000000000043782E-mapping.dmp
    Download
  • memory/3820-132-0x0000000004E30000-0x0000000004E31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3820-133-0x00000000052E0000-0x00000000052E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3820-134-0x0000000005A90000-0x0000000005A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3820-137-0x0000000004E31000-0x0000000004E32000-memory.dmp
    Filesize

    4KB

    Download