Overview

overview

10

Static

static

1

DETAILS PR...__.exe

windows7_x64

10

DETAILS PR...__.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    19-10-2021 21:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DETAILS PROFORMA BANKING_____________pdf_____________.exe

  • Size

    464KB

  • MD5

    698d250ff08f3121dc1652384430f942

  • SHA1

    e4e9829b91795d7908ea8967f065c1c36bb553a1

  • SHA256

    498156982ed9aecacb9a26f6bb4842752c1ad265ab662c25893f5e8e0eebf277

  • SHA512

    c5d0d567638f67063f41dada5689fa6aa66af408f2103a48a06daf0179682cec40a6e3bcfc08ec9e96d1253cdd34fb1d71fc1e2e4c47266e20e2d93dc102f95f

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe
    "C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1424
    • C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe
      "C:\Users\Admin\AppData\Local\Temp\DETAILS PROFORMA BANKING_____________pdf_____________.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1744
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 508
        3⤵
        • Suspicious behavior: GetForegroundWindowSpam
        PID:1360

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nstB77E.tmp\ibmbeute.dll
    MD5

    4b00a8fede03377e8ec902ead69358e4

    SHA1

    a916daab58c19f2e7bb0f37f18ceba58521ac7e8

    SHA256

    4fc85337cd5783bd1aa5056ee9c6b3099db05812b32f467696b23aaff3683c36

    SHA512

    aece6578422664e59a85db578748efed150cdd079f7e0e7fda1ae715e1396b2536a436edb0929c979c356b4069ec2675a8a1c417fcec20ce2314d45a98fe761f

    Download Submit
  • memory/1360-64-0x0000000000000000-mapping.dmp
    Download
  • memory/1360-66-0x0000000000760000-0x0000000000761000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1424-53-0x0000000076201000-0x0000000076203000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1744-55-0x0000000000400000-0x000000000044B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1744-56-0x000000000040188B-mapping.dmp
    Download
  • memory/1744-59-0x0000000000230000-0x0000000000231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1744-58-0x0000000000400000-0x000000000044B000-memory.dmp
    Filesize

    300KB

    Download
  • memory/1744-60-0x0000000000231000-0x0000000000232000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1744-62-0x0000000000237000-0x0000000000238000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1744-61-0x0000000000232000-0x0000000000234000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1744-63-0x0000000000238000-0x0000000000239000-memory.dmp
    Filesize

    4KB

    Download