Overview

overview

10

Static

static

NEW_PO_J.exe

windows7_x64

10

NEW_PO_J.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 02:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW_PO_J.exe

  • Size

    707KB

  • MD5

    56691af2924510627ff5ebfebbf34ae6

  • SHA1

    2da88ce034e652d40d621a1cc3fe5abc6a5c46d5

  • SHA256

    bd0942599a238c4cdc3c2da9351ce62e14e6a212513ddd66b9da598fb35dcbf2

  • SHA512

    e52797941bb070cbb091387e236218911a7738a623bf4cd4be97e2c9de12985acc115626dde57711ec5b0610b8d88bb6be9ad75d430f06972a16f89c25afd0f9

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.ilclaw.com.ph
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    P@ssw0rd

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEW_PO_J.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW_PO_J.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5084
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\BqyzRQawmJj" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB395.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1716
    • C:\Users\Admin\AppData\Local\Temp\NEW_PO_J.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      • outlook_office_path
      • outlook_win_path
      PID:1656
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:236

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Credentials in Files

    3
    T1081

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    3
    T1005

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpB395.tmp
      Filesize

      1KB

      MD5

      bc49bbd22d791a4121a900c630063596

      SHA1

      9ce797cc323d73af397a4164c7067bb4c4f0b4f4

      SHA256

      76bd0441b1c175841230dddd11a10586a31123810fc0bab26a1c5b6720807091

      SHA512

      215397ff5ee986a17a39d5eb489b31326a14f0fc4afbcaa5df48d7211eaf758e94b4234f113d76d31f8a3ff77689dff1a1f92085b94194cf8964a8153030437b

      Download Submit
    • memory/236-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1656-140-0x0000000000000000-mapping.dmp
      Download
    • memory/1656-141-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/1656-142-0x0000000005770000-0x00000000057D6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1656-143-0x0000000006450000-0x00000000064A0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1716-138-0x0000000000000000-mapping.dmp
      Download
    • memory/5084-133-0x00000000000C0000-0x000000000017A000-memory.dmp
      Filesize

      744KB

      Download
    • memory/5084-134-0x0000000009080000-0x0000000009112000-memory.dmp
      Filesize

      584KB

      Download
    • memory/5084-135-0x00000000096D0000-0x0000000009C74000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/5084-136-0x0000000004CB0000-0x0000000004CBA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/5084-137-0x0000000005390000-0x000000000542C000-memory.dmp
      Filesize

      624KB

      Download