Overview

overview

10

Static

static

QUOTE 002242020.exe

windows7_x64

10

QUOTE 002242020.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    187s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 02:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    QUOTE 002242020.exe

  • Size

    2.1MB

  • MD5

    bdbfa33c09b950889d9fc19954f20935

  • SHA1

    d9c6cf2322734d49a1c479ff31d044ccef2f739e

  • SHA256

    51558f41331f2345cd146dc9705f48e8a6fdc425e6744658ff2ea53d42d34ae6

  • SHA512

    5ab3679f6c523a4a5d73678461f5089713b06fde01d59d42e2ca728d7723af01d135eba0737bf1606f105bb0a64573807cc687b8f4ba0666f4678948f1ae6fa7

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.parshavayealborz.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    P@rshava123456

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 1 IoCs
  • Drops startup file 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • AutoIT Executable 4 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\QUOTE 002242020.exe
    "C:\Users\Admin\AppData\Local\Temp\QUOTE 002242020.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2100
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        3⤵
        • Drops startup file
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4884
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
          4⤵
          • Drops file in Drivers directory
          • Accesses Microsoft Outlook profiles
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          • outlook_office_path
          • outlook_win_path
          PID:4424
          • C:\Windows\SysWOW64\REG.exe
            REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
            5⤵
            • Modifies registry key
            PID:548
          • C:\Windows\SysWOW64\netsh.exe
            "netsh" wlan show profile
            5⤵
              PID:3372

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Email Collection

    1
    T1114

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/392-130-0x00000000007E0000-0x00000000009F4000-memory.dmp
      Filesize

      2.1MB

      Download
    • memory/392-131-0x0000000005390000-0x000000000542C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/392-132-0x0000000005760000-0x00000000057F2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/392-133-0x0000000008D20000-0x00000000092C4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/548-150-0x0000000000000000-mapping.dmp
      Download
    • memory/2100-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2100-135-0x0000000000400000-0x00000000005B2000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/3372-152-0x0000000000000000-mapping.dmp
      Download
    • memory/4424-149-0x0000000005FB0000-0x0000000006016000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4424-141-0x0000000000000000-mapping.dmp
      Download
    • memory/4424-142-0x0000000000400000-0x0000000000452000-memory.dmp
      Filesize

      328KB

      Download
    • memory/4424-151-0x0000000006B60000-0x0000000006BB0000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4424-153-0x0000000006DC0000-0x0000000006DCA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4884-139-0x0000000000400000-0x0000000000579000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/4884-140-0x0000000000400000-0x0000000000579000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/4884-147-0x0000000003670000-0x0000000003707000-memory.dmp
      Filesize

      604KB

      Download
    • memory/4884-148-0x0000000004390000-0x0000000004427000-memory.dmp
      Filesize

      604KB

      Download
    • memory/4884-138-0x0000000000400000-0x0000000000579000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/4884-137-0x0000000000400000-0x0000000000579000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/4884-136-0x0000000000000000-mapping.dmp
      Download