Overview

overview

10

Static

static

Details as...ail.js

windows7_x64

10

Details as...ail.js

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    02-12-2021 16:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Details as attached in this mail.js

  • Size

    628KB

  • MD5

    e570e22ed2b2a600241ee070d0c4873d

  • SHA1

    2cea5772982d6695cde4b1c2c8727034ec7d67b3

  • SHA256

    904b4d3ef25a59a896522183f38be8cb155350dc1823cf7784b48e9fe93983c1

  • SHA512

    357a23f2cff7632deb6eb05e2595795e914b56e8526896b9f6bf6736a95ba6b8804c7ee2941fd0a1f056a9ff5b5f219d598efffa4799dea13fb763866f631a89

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://files.000webhost.com/
  • Port:
    21
  • Username:
    zinco
  • Password:
    computer147

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 6 IoCs
  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe "C:\Users\Admin\AppData\Local\Temp\Details as attached in this mail.js"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\Details as attached in this mail.exe
      "C:\Users\Admin\AppData\Local\Temp\Details as attached in this mail.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:584
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Details as attached in this mail.exe
    MD5

    2cbaf9720be212b240fa6b8eeacf27ad

    SHA1

    a4e9a68be30a36f134112e6d3b6f1478287c2186

    SHA256

    76b6397c76b3d3f981e87c16e22b7e61dfe5bd5f6bbb4386a8627cf8dfece835

    SHA512

    0e0b604d76a51d161ea8bbb87a02568db0b1043d85fb2107b21b8a6da48dd26a003e3a0869e4fe970da72f895c26634493df0143d292ae83daf5f51974443413

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Details as attached in this mail.exe
    MD5

    2cbaf9720be212b240fa6b8eeacf27ad

    SHA1

    a4e9a68be30a36f134112e6d3b6f1478287c2186

    SHA256

    76b6397c76b3d3f981e87c16e22b7e61dfe5bd5f6bbb4386a8627cf8dfece835

    SHA512

    0e0b604d76a51d161ea8bbb87a02568db0b1043d85fb2107b21b8a6da48dd26a003e3a0869e4fe970da72f895c26634493df0143d292ae83daf5f51974443413

    Download Submit
  • memory/584-64-0x00000000004E0000-0x0000000000517000-memory.dmp
    Filesize

    220KB

    Download
  • memory/584-65-0x0000000000560000-0x000000000056B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/584-59-0x00000000001B0000-0x00000000001B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/584-60-0x0000000002230000-0x0000000002231000-memory.dmp
    Filesize

    4KB

    Download
  • memory/584-61-0x0000000000800000-0x0000000000849000-memory.dmp
    Filesize

    292KB

    Download
  • memory/584-63-0x0000000000290000-0x00000000002BA000-memory.dmp
    Filesize

    168KB

    Download
  • memory/584-56-0x0000000000000000-mapping.dmp
    Download
  • memory/1624-67-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1624-66-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1624-69-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1624-68-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1624-70-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1624-71-0x000000000043760E-mapping.dmp
    Download
  • memory/1624-72-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1624-74-0x0000000002180000-0x0000000002181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1624-75-0x0000000002181000-0x0000000002182000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1992-55-0x000007FEFC4C1000-0x000007FEFC4C3000-memory.dmp
    Filesize

    8KB

    Download