Overview

overview

10

Static

static

SOA.exe

windows7_x64

3

SOA.exe

windows10_x64

10

Analysis

  • max time kernel
    138s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    02-12-2021 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SOA.exe

  • Size

    693KB

  • MD5

    d6264b641a92dc68f18a0b2ad6a8b7b7

  • SHA1

    3810f6de85581a6e58e983f332044e36c9e19703

  • SHA256

    cae83e99c0f43ff07b4ca8965f740e463378e3547323feb5331bb50f8c333873

  • SHA512

    72d30018fc2996afe1b62f52dbd5053ed5ad44f4301ef4e24fca52fc7bb0adb0ec6060ae3692a2b2a5f34313f64b0e79f59e37f288d050010460bc1fa65c1dce

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.scsgroups.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Scs@looi1007

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 3 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SOA.exe
    "C:\Users\Admin\AppData\Local\Temp\SOA.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Drops file in Drivers directory
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:908

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/908-125-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/908-133-0x0000000005D00000-0x0000000005D01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/908-132-0x0000000005260000-0x0000000005261000-memory.dmp
    Filesize

    4KB

    Download
  • memory/908-131-0x00000000050A0000-0x000000000559E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/908-126-0x000000000043763E-mapping.dmp
    Download
  • memory/3924-119-0x00000000056A0000-0x00000000056A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3924-122-0x00000000059C0000-0x00000000059C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3924-123-0x0000000006380000-0x0000000006381000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3924-124-0x00000000064C0000-0x0000000006559000-memory.dmp
    Filesize

    612KB

    Download
  • memory/3924-121-0x0000000005870000-0x0000000005878000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3924-120-0x00000000056E0000-0x0000000005BDE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3924-115-0x0000000000C60000-0x0000000000C61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3924-118-0x00000000055A0000-0x00000000055A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3924-117-0x0000000005BE0000-0x0000000005BE1000-memory.dmp
    Filesize

    4KB

    Download