Overview

overview

10

Static

static

Transfer C...on.exe

windows7_x64

10

Transfer C...on.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    132s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    20-05-2022 22:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Transfer Confirmation.exe

  • Size

    617KB

  • MD5

    4933039c07233e307f6a8ee44229f81b

  • SHA1

    e0f164c88ead46da499516596adb16bde31b3243

  • SHA256

    1c8ee9c80b54c9a2f245d2e98ce8d25702becbc6584135c4278169d406016dd8

  • SHA512

    6072234ed2ee6c19e45ccc61dc52e730cbfd568a78ad2e11eae4714c34e95894b8fe93eabcb8c2ad1cc1e3b45a5e0326d393418dce0df7c39b4baa0289a94d7c

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    K$pbkEK0

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 6 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Transfer Confirmation.exe
    "C:\Users\Admin\AppData\Local\Temp\Transfer Confirmation.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ekPvgdvGqRbZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD634.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1692
    • C:\Users\Admin\AppData\Local\Temp\Transfer Confirmation.exe
      "{path}"
      2⤵
        PID:1616
      • C:\Users\Admin\AppData\Local\Temp\Transfer Confirmation.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:1960

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpD634.tmp
      Filesize

      1KB

      MD5

      2967455727c7d96c3837c7e2ae25dccf

      SHA1

      a8b6b0e1cb27b7b6818c85f26f588a6e3de2a216

      SHA256

      e49d27b8c91b78fbaa4c1cb3d3d3ad166541894032aff91cfb1b39043e48b569

      SHA512

      a974cb8a239c8034ab7455a1f76d8d92b6511e6343da322f65620f225b5fbec569ccb0b5f688fd1af8f1a84df5ad0e712d22aa603b43bcc251cc79f2bf563b7d

      Download Submit
    • memory/916-57-0x0000000005520000-0x00000000055B4000-memory.dmp
      Filesize

      592KB

      Download
    • memory/916-56-0x0000000000330000-0x000000000033A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/916-54-0x0000000000120000-0x00000000001C0000-memory.dmp
      Filesize

      640KB

      Download
    • memory/916-58-0x00000000059B0000-0x0000000005A2C000-memory.dmp
      Filesize

      496KB

      Download
    • memory/916-55-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1692-59-0x0000000000000000-mapping.dmp
      Download
    • memory/1960-62-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1960-61-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1960-65-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1960-64-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1960-66-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1960-67-0x0000000000446DFE-mapping.dmp
      Download
    • memory/1960-69-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1960-71-0x0000000000400000-0x000000000044C000-memory.dmp
      Filesize

      304KB

      Download