Overview

overview

10

Static

static

7ca0541b.exe

windows7_x64

10

7ca0541b.exe

windows10_x64

10

Analysis

  • max time kernel
    118s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    23-10-2021 08:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ca0541b.exe

  • Size

    783KB

  • MD5

    c76f187107bee1ce2df352b05e630356

  • SHA1

    2c4e9462828e90573965ea02efc1b22d4020cbe8

  • SHA256

    7ca0541b2df62e8b9e2b7b81f0c151f93a9c630d3c31252856932a4a824d3100

  • SHA512

    47db99c394dcf9ebd29d5e9058ef34e40bd09163de4473231aad48f3e6326954a8f11442d482e23c89e731bdfd3974f0aad17e3aaacbaca77730997f27851d3a

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.electronmash.com
  • Port:
    587
  • Username:
    office@electronmash.com
  • Password:
    Zanzibar2018

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ca0541b.exe
    "C:\Users\Admin\AppData\Local\Temp\7ca0541b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:520
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jpkwTXwTqIHZh" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5281.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:4492
    • C:\Users\Admin\AppData\Local\Temp\7ca0541b.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\7ca0541b.exe.log
    MD5

    5e7bb97636a484b5a87e60373614279a

    SHA1

    36bfdec32eedb141a4a106d89a453326f62593ee

    SHA256

    12ed6e1df2c57556c59dfd6630fd454a9df76166f340c41ee6bc54d98e709e20

    SHA512

    448c62d538e646045d7315ff902b86f614e2dc1eb0959c22c6618fd2c8767c330d24692357559310e6b55b0c35415a14a6ab2d6d9b8d2a03186949b97190fd56

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp5281.tmp
    MD5

    6880d6ee8d644ab4545f798e47a78434

    SHA1

    f17d0ea3572e476c264f312f070ab70f2362bd40

    SHA256

    83303c08b1ff4c2dd86b7bb1ca2456524f7c00d291a1b41bf0c2422836d72efa

    SHA512

    506675128c8f1a32bb9fadaccb3591aef4585244784e3657e192e31ac461355456421999026a76d11d57897abbe03ee878a0c3535ac3282f25db8cc503a5a0f1

    Download Submit
  • memory/520-115-0x0000000000D70000-0x0000000000D71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/520-116-0x0000000000D71000-0x0000000000D72000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4492-117-0x0000000000000000-mapping.dmp
    Download
  • memory/4632-119-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/4632-120-0x00000000004374FE-mapping.dmp
    Download
  • memory/4632-122-0x0000000000BE0000-0x0000000000BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4632-123-0x0000000000BE1000-0x0000000000BE2000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4632-124-0x0000000000BE2000-0x0000000000BE3000-memory.dmp
    Filesize

    4KB

    Download