Overview

overview

10

Static

static

PO-055MAY.exe

windows7_x64

10

PO-055MAY.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 01:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-055MAY.exe

  • Size

    651KB

  • MD5

    4764f309bdf491747a14f235ffb64dcb

  • SHA1

    41d7678b2da67f53fd00991cfa386cc84de0b1ce

  • SHA256

    d5819b520b3e566b31f7aaf830c521264b8b3bf66b7d85c729537d138e042b81

  • SHA512

    c3ad68790d04b263379ee3702bcc85320367cc604abc70755bf7cdc91e58c1831ab5e89b043bfefcf0e1584c7e47baf6d5ca0f4acda98378bb27c0b128135795

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    webmail.basefirms.name
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Michael126411790

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO-055MAY.exe
    "C:\Users\Admin\AppData\Local\Temp\PO-055MAY.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4860
    • C:\Users\Admin\AppData\Local\Temp\PO-055MAY.exe
      "{path}"
      2⤵
        PID:3208
      • C:\Users\Admin\AppData\Local\Temp\PO-055MAY.exe
        "{path}"
        2⤵
          PID:1948
        • C:\Users\Admin\AppData\Local\Temp\PO-055MAY.exe
          "{path}"
          2⤵
            PID:3236
          • C:\Users\Admin\AppData\Local\Temp\PO-055MAY.exe
            "{path}"
            2⤵
              PID:1680
            • C:\Users\Admin\AppData\Local\Temp\PO-055MAY.exe
              "{path}"
              2⤵
              • Accesses Microsoft Outlook profiles
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of SetWindowsHookEx
              • outlook_office_path
              • outlook_win_path
              PID:4392

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO-055MAY.exe.log
            Filesize

            1KB

            MD5

            400f1cc1a0a0ce1cdabda365ab3368ce

            SHA1

            1ecf683f14271d84f3b6063493dce00ff5f42075

            SHA256

            c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765

            SHA512

            14c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45

            Download Submit
          • memory/1680-138-0x0000000000000000-mapping.dmp
            Download
          • memory/1948-136-0x0000000000000000-mapping.dmp
            Download
          • memory/3208-135-0x0000000000000000-mapping.dmp
            Download
          • memory/3236-137-0x0000000000000000-mapping.dmp
            Download
          • memory/4392-139-0x0000000000000000-mapping.dmp
            Download
          • memory/4392-140-0x0000000000400000-0x0000000000450000-memory.dmp
            Filesize

            320KB

            Download
          • memory/4392-142-0x00000000057E0000-0x0000000005846000-memory.dmp
            Filesize

            408KB

            Download
          • memory/4392-143-0x0000000006650000-0x00000000066A0000-memory.dmp
            Filesize

            320KB

            Download
          • memory/4860-134-0x00000000091F0000-0x000000000928C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/4860-133-0x0000000005920000-0x000000000592A000-memory.dmp
            Filesize

            40KB

            Download
          • memory/4860-132-0x0000000005980000-0x0000000005A12000-memory.dmp
            Filesize

            584KB

            Download
          • memory/4860-130-0x0000000000A10000-0x0000000000ABA000-memory.dmp
            Filesize

            680KB

            Download
          • memory/4860-131-0x0000000005D90000-0x0000000006334000-memory.dmp
            Filesize

            5.6MB

            Download