Overview

overview

10

Static

static

Overdue ou...nt.exe

windows7_x64

3

Overdue ou...nt.exe

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    03-12-2021 18:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Overdue outstanding payment.exe

  • Size

    529KB

  • MD5

    531e86d55ddb922cd268147ac004f604

  • SHA1

    ea2dc2bf2a84d3f0aae358a0951e962ee8418f82

  • SHA256

    d34b4cfc530b91d44ba82a15cdb948e4424e30ee57245f4792c8303d202df173

  • SHA512

    c58a1a1c5af776464473bd66a1e0f04ebcc749bf2a3b0c346ab6b3c64aac59c28f31a1b45d4c739edc8e578c2055a757c498b20a0f674eef7ea3369e9382934b

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot2129831935:AAFsDWWUF1IwkP0mys1D0YX41mjPAs-L-eU/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Overdue outstanding payment.exe
    "C:\Users\Admin\AppData\Local\Temp\Overdue outstanding payment.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4364
    • C:\Users\Admin\AppData\Local\Temp\Overdue outstanding payment.exe
      "C:\Users\Admin\AppData\Local\Temp\Overdue outstanding payment.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4616

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Overdue outstanding payment.exe.log
    MD5

    f1181bc4bdff57024c4121f645548332

    SHA1

    d431ee3a3a5afcae2c4537b1d445054a0a95f6e6

    SHA256

    f1a7e138b25d0cb24bb4b23bd781b0dd357afd49d45e19ffa44cdb80170336ad

    SHA512

    cf8059f289bcb4f33e82a2c4851fade486bd449793a39718d49bc357efd09689150aedd277c5ebcf79b5ebb4bbe36f0cbb72510a50398bee804ffd9c889604e3

    Download Submit

  • memory/4364-122-0x00000000079E0000-0x00000000079E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4364-124-0x0000000007DF0000-0x0000000007E59000-memory.dmp

    Filesize

    420KB

    Download

  • memory/4364-119-0x00000000056A0000-0x0000000005B9E000-memory.dmp

    Filesize

    5.0MB

    Download

  • memory/4364-120-0x0000000005640000-0x0000000005641000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4364-121-0x00000000057E0000-0x00000000057E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4364-115-0x0000000000CF0000-0x0000000000CF1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4364-123-0x0000000007D50000-0x0000000007D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4364-118-0x00000000055A0000-0x00000000055A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4364-117-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4616-126-0x000000000043779E-mapping.dmp

    Download

  • memory/4616-125-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4616-132-0x00000000052D0000-0x00000000052D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4616-133-0x0000000005F70000-0x0000000005F71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4616-134-0x0000000006000000-0x0000000006001000-memory.dmp

    Filesize

    4KB

    Download