Overview

overview

10

Static

static

Orden de c...__.exe

windows7_x64

10

Orden de c...__.exe

windows10_x64

10

Analysis

  • max time kernel
    135s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-08-2021 17:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Orden de cotización.xlsx______________________________.exe

  • Size

    852KB

  • MD5

    ef91a695fc5aef7d5c6630fd4e6b5a4f

  • SHA1

    36e11a1a53a68ac4eb081240062954854897ffbf

  • SHA256

    16a5798db6638e9ff43f3cddeeec26ee68c9294637d2c32ef8440f967dcff243

  • SHA512

    d5483e883e94b313af7f92cb8751f0df7c30061dc1971be6706eb2ec64314dd0318c6cd346bea0c236085932e3ae62b1d0eb1eb16a4d4ba4bc85cff76a1e0d33

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    serv-10708.handsonwebhosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    icui4cu2@@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Orden de cotización.xlsx______________________________.exe
    "C:\Users\Admin\AppData\Local\Temp\Orden de cotización.xlsx______________________________.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3204
    • C:\Users\Admin\AppData\Local\Temp\Orden de cotización.xlsx______________________________.exe
      "C:\Users\Admin\AppData\Local\Temp\Orden de cotización.xlsx______________________________.exe"
      2⤵
      • Drops file in Drivers directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Orden de cotización.xlsx______________________________.exe.log
    MD5

    c3cc52ccca9ff2b6fa8d267fc350ca6b

    SHA1

    a68d4028333296d222e4afd75dea36fdc98d05f3

    SHA256

    3125b6071e2d78f575a06ed7ac32a83d9262ae64d1fa81ac43e8bfc1ef157c0e

    SHA512

    b0c7b2501b1a2c559795a9d178c0bbda0e03cbdbaaa2c4330ac1202a55373fe1b742078adcfa915bd6e805565a2daa6d35d64ef7a14ffcd09069f9ea6a691cc7

    Download Submit
  • memory/1304-124-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1304-133-0x00000000060B0000-0x00000000060B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1304-132-0x0000000005600000-0x0000000005601000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1304-131-0x0000000005450000-0x000000000594E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/1304-125-0x000000000043770E-mapping.dmp
    Download
  • memory/3204-118-0x0000000005520000-0x0000000005521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3204-122-0x0000000008BC0000-0x0000000008C63000-memory.dmp
    Filesize

    652KB

    Download
  • memory/3204-123-0x000000000B3C0000-0x000000000B401000-memory.dmp
    Filesize

    260KB

    Download
  • memory/3204-121-0x0000000005750000-0x0000000005761000-memory.dmp
    Filesize

    68KB

    Download
  • memory/3204-120-0x00000000053A0000-0x000000000589E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3204-119-0x0000000005440000-0x0000000005441000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3204-114-0x0000000000B40000-0x0000000000B41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3204-117-0x0000000005480000-0x0000000005481000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3204-116-0x00000000058A0000-0x00000000058A1000-memory.dmp
    Filesize

    4KB

    Download