Overview

overview

10

Static

static

signed_19272.exe

windows7_x64

10

signed_19272.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    168s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 02:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    signed_19272.exe

  • Size

    485KB

  • MD5

    29fe793a432bfccb58d667ffb3b32547

  • SHA1

    d7cce5305cb72e8f0ac1331c1178527e9936a071

  • SHA256

    3f4d8c350538601c60ddb8393b0c70904bbb81be0b59478770730dfe7a243e76

  • SHA512

    43cbb5ace671963742b3727407e03c223850e168b54a03ea3a48b9b51e68558e5289b1d70d994bfcc5788530fb079b7bc523f7d23a401cad734e4b00ebbe09df

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.pptoursperu.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    mailppt2019-

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\signed_19272.exe
    "C:\Users\Admin\AppData\Local\Temp\signed_19272.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3840
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:4392
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4304

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3840-130-0x0000000000AA0000-0x0000000000B20000-memory.dmp
      Filesize

      512KB

      Download
    • memory/3840-131-0x0000000009F70000-0x000000000A514000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/3840-132-0x00000000056E0000-0x0000000005772000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3840-133-0x00000000054B0000-0x00000000054BA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3840-134-0x0000000009EA0000-0x0000000009F3C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4304-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4304-137-0x0000000000400000-0x0000000000450000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4304-138-0x0000000005820000-0x0000000005886000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4304-139-0x00000000064D0000-0x0000000006520000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4392-135-0x0000000000000000-mapping.dmp
      Download