Overview

overview

10

Static

static

ab.exe

windows7_x64

10

Analysis

  • max time kernel
    291s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    19-10-2021 13:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab.exe

  • Size

    903KB

  • MD5

    9ce4ad1c6b3922f9b1f5e791cd67ca4c

  • SHA1

    684fd0a504a88891c7886b2f66a88b31e19d4fa8

  • SHA256

    d70ef7100ac3b81d499e79035dd0b44c42ace5ae7b2b8a37a7d1eff742a27d9e

  • SHA512

    ae09c4ecab4681f41c7e68fceb7a68e18d7360efa6b34df5347951c7420c807ea2c53152f6782d1d38c138829aceb7c5c815078e6fa13bbb490e7d3cab52a671

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.manlogistics.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ma&*$367Jhn

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 5 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab.exe
    "C:\Users\Admin\AppData\Local\Temp\ab.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1648
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tGUCfQbGRB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp88BF.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:752
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Drops file in Drivers directory
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:856
  • C:\Windows\explorer.exe
    "C:\Windows\explorer.exe"
    1⤵
      PID:1072
    • C:\Windows\System32\control.exe
      "C:\Windows\System32\control.exe" SYSTEM
      1⤵
        PID:1676
      • C:\Windows\SysWOW64\DllHost.exe
        C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
        1⤵
          PID:752
        • C:\Windows\system32\systempropertiesremote.exe
          "C:\Windows\system32\systempropertiesremote.exe"
          1⤵
            PID:1760
          • C:\Windows\SysWOW64\DllHost.exe
            C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
            1⤵
              PID:1656
            • C:\Windows\system32\mmc.exe
              "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
              1⤵
              • Drops file in System32 directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              PID:1592

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmp88BF.tmp
              MD5

              53bc1f977e13f870666fe4af9fc6d6f7

              SHA1

              caa5e013689c19c1baf19b39b2c16a6c3a68a0ce

              SHA256

              30c9e126a83207d1b4d98e312229d6dec94645f1e271d502f3aad6859276a116

              SHA512

              a208e8e171765e902f659f8c8237fcbd574540185d2212d335bf99d031fa83245a638e90e99c66597845672f3b41abfb77bcc763d6af54d8c119295d28ec25a8

              Download Submit

            • memory/752-61-0x0000000000000000-mapping.dmp

              Download

            • memory/752-76-0x000000006E7B1000-0x000000006E7B3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/856-71-0x0000000004A70000-0x0000000004A71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/856-67-0x0000000000400000-0x000000000047E000-memory.dmp

              Filesize

              504KB

              Download

            • memory/856-73-0x0000000004A71000-0x0000000004A72000-memory.dmp

              Filesize

              4KB

              Download

            • memory/856-69-0x0000000000400000-0x000000000047E000-memory.dmp

              Filesize

              504KB

              Download

            • memory/856-68-0x00000000004376FE-mapping.dmp

              Download

            • memory/856-63-0x0000000000400000-0x000000000047E000-memory.dmp

              Filesize

              504KB

              Download

            • memory/856-64-0x0000000000400000-0x000000000047E000-memory.dmp

              Filesize

              504KB

              Download

            • memory/856-65-0x0000000000400000-0x000000000047E000-memory.dmp

              Filesize

              504KB

              Download

            • memory/856-66-0x0000000000400000-0x000000000047E000-memory.dmp

              Filesize

              504KB

              Download

            • memory/1072-72-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1592-80-0x0000000002270000-0x0000000002271000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1648-59-0x0000000008140000-0x00000000081E2000-memory.dmp

              Filesize

              648KB

              Download

            • memory/1648-57-0x0000000004E70000-0x0000000004E71000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1648-58-0x0000000000400000-0x000000000040E000-memory.dmp

              Filesize

              56KB

              Download

            • memory/1648-54-0x0000000001330000-0x0000000001331000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1648-60-0x000000000A910000-0x000000000A98A000-memory.dmp

              Filesize

              488KB

              Download

            • memory/1648-56-0x0000000076431000-0x0000000076433000-memory.dmp

              Filesize

              8KB

              Download