Overview

overview

10

Static

static

RFQ T7-30032020.exe

windows7_x64

10

RFQ T7-30032020.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    190s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 04:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RFQ T7-30032020.exe

  • Size

    697KB

  • MD5

    a189817dbab853329eb05c34f1c8e5e5

  • SHA1

    68f28e839fc32aa4f2b62d8aaac49c8127b18e0a

  • SHA256

    4850ce25c3caf99fc7f558ec6666d08c43d69ed4e1be9a8fd37f289db69561ab

  • SHA512

    3a5756d37b4de9f2a6b2ef59a11ab01ffd145791c5a136a882e1a520072cb344b697a84e4520c3a58246fc924f7a0f316ac1bc0c8ba9458ba3e88a1ba6cd8041

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.fipco-sa.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    breakingnews77

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs
    evasion
  • AgentTesla Payload 1 IoCs
  • Executes dropped EXE 8 IoCs
  • Modifies Installed Components in the registry 2 TTPs
    persistence
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 15 IoCs
  • Suspicious use of WriteProcessMemory 38 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RFQ T7-30032020.exe
    "C:\Users\Admin\AppData\Local\Temp\RFQ T7-30032020.exe"
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4148
    • \??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe 
      "c:\users\admin\appdata\local\temp\rfq t7-30032020.exe "
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3380
      • \??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe 
        "{path}"
        3⤵
        • Executes dropped EXE
        PID:4432
      • \??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe 
        "{path}"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:4312
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" wlan show profile
          4⤵
            PID:5116
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        2⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4144
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          3⤵
          • Modifies WinLogon for persistence
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2124
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe SE
            4⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2596
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              5⤵
              • Modifies WinLogon for persistence
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:4996
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe PR
                6⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4968
              • C:\Windows\SysWOW64\at.exe
                at 07:58 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                6⤵
                  PID:2320
                • C:\Windows\SysWOW64\at.exe
                  at 07:59 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                  6⤵
                    PID:2720

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rfq t7-30032020.exe .log
          Filesize

          496B

          MD5

          cb76b18ebed3a9f05a14aed43d35fba6

          SHA1

          836a4b4e351846fca08b84149cb734cb59b8c0d6

          SHA256

          8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

          SHA512

          7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exe 
          Filesize

          423KB

          MD5

          93410fd2945b880f9cb6a4dcc0637bbc

          SHA1

          fa86831282f50ed8efbdf10eeb31900e03ee66a3

          SHA256

          a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

          SHA512

          d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exe 
          Filesize

          423KB

          MD5

          93410fd2945b880f9cb6a4dcc0637bbc

          SHA1

          fa86831282f50ed8efbdf10eeb31900e03ee66a3

          SHA256

          a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

          SHA512

          d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

          Download Submit
        • C:\Users\Admin\AppData\Local\Temp\rfq t7-30032020.exe 
          Filesize

          423KB

          MD5

          93410fd2945b880f9cb6a4dcc0637bbc

          SHA1

          fa86831282f50ed8efbdf10eeb31900e03ee66a3

          SHA256

          a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

          SHA512

          d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

          Download Submit
        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          274KB

          MD5

          f8937266c07855421a0970755755d1d9

          SHA1

          e08d738ed3e6d3c780c5b5241f5cef44fc411601

          SHA256

          ebcdda59f95aa9871bedc35d75f956c555c810471317179596ec4e58b624fd3f

          SHA512

          d15c14dd72c7daa994e72d976a247118c88b9b65db954eb31235e4244647c9ebabaad9914137f02b19d2f22ef6d9434eb9bd3d728633e5ca42a3fb39f524e8f6

          Download Submit
        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          Filesize

          274KB

          MD5

          f8937266c07855421a0970755755d1d9

          SHA1

          e08d738ed3e6d3c780c5b5241f5cef44fc411601

          SHA256

          ebcdda59f95aa9871bedc35d75f956c555c810471317179596ec4e58b624fd3f

          SHA512

          d15c14dd72c7daa994e72d976a247118c88b9b65db954eb31235e4244647c9ebabaad9914137f02b19d2f22ef6d9434eb9bd3d728633e5ca42a3fb39f524e8f6

          Download Submit
        • C:\Users\Admin\AppData\Roaming\mrsys.exe
          Filesize

          274KB

          MD5

          25743231bbcf8aadd7a099c87b86fd12

          SHA1

          2ef5247b4ee56072a06995ba81c2187939a15330

          SHA256

          4c62b21669245450b007e1b47a89dbed9092003607cae8ca6c9f37fd94f3e45c

          SHA512

          8e1ea25f524504dc06bf426c17074b19d86bfba2437f96ab760276748dbad514dcc53368397ab2521b9c6b63c2a37cf5e271f58cf7402315aef820fcb282494e

          Download Submit
        • C:\Windows\System\explorer.exe
          Filesize

          274KB

          MD5

          7eeacbb6524cf1718d84a48d8ccac228

          SHA1

          188108f52e30d4d4c85297d8134f006535b22560

          SHA256

          172e22d1b7982934227ef69ff49b819020379f0003f86216195bf3f1d1e1d4ee

          SHA512

          bddf852e7a23abf11f6cd9358934a666cc60b89415097a42c70e8d6879e83283506171560d7dc55bb3d0cc21eaaadf37b1081bedfa320d2e69035bbb01f080ec

          Download Submit
        • C:\Windows\System\spoolsv.exe
          Filesize

          274KB

          MD5

          e7b58958dcc5ad7b3162caffb259bd16

          SHA1

          a6cff40840af18bfab6e36a9f98be95298370453

          SHA256

          332255590c4eeda99744ca34d32ae0b788c44fe0fa347d1cefaea14aaff5ccb6

          SHA512

          c72eb88e4c57e3e5caa4d0120b6e9bcf64efea4118c754cad632bc7f727c322535a7c798ed4fdbf77f93d54fccaa8458ec0cf07810e014338026dea214932491

          Download Submit
        • C:\Windows\System\spoolsv.exe
          Filesize

          274KB

          MD5

          e7b58958dcc5ad7b3162caffb259bd16

          SHA1

          a6cff40840af18bfab6e36a9f98be95298370453

          SHA256

          332255590c4eeda99744ca34d32ae0b788c44fe0fa347d1cefaea14aaff5ccb6

          SHA512

          c72eb88e4c57e3e5caa4d0120b6e9bcf64efea4118c754cad632bc7f727c322535a7c798ed4fdbf77f93d54fccaa8458ec0cf07810e014338026dea214932491

          Download Submit
        • C:\Windows\System\svchost.exe
          Filesize

          274KB

          MD5

          f656ff6aa1d0061ee3b55360d0abdc2e

          SHA1

          42c0c10c8d440d744fd2a4bd757b7d04b2f6627a

          SHA256

          afaa5fe7c441811d6464ddecad87020eb898dcb8e0b4d10f012d48e009ed769a

          SHA512

          93de5cd8257b4bcf565a7311c11b3402ff82a51a0886c1af5e19583dba19e87f6e42ab5a6ab7c5e0dd4bc77ca4f93e476e8c5ac30247636acc59f0ca5ee0dfe3

          Download Submit
        • \??\c:\users\admin\appdata\local\temp\rfq t7-30032020.exe 
          Filesize

          423KB

          MD5

          93410fd2945b880f9cb6a4dcc0637bbc

          SHA1

          fa86831282f50ed8efbdf10eeb31900e03ee66a3

          SHA256

          a1a9bb45a280c34270046131845e66f2fa6772c1f3a5f25712aaf3746398a15e

          SHA512

          d9b7ef59117c82a53c7af8d5d1db70425aadc466f3fb01de8ebcb6ca9068ea4015db17d7bcced4da20770a3c991303bfbf8648961b35c0201d1c9863567cdfe4

          Download Submit
        • \??\c:\windows\system\explorer.exe
          Filesize

          274KB

          MD5

          7eeacbb6524cf1718d84a48d8ccac228

          SHA1

          188108f52e30d4d4c85297d8134f006535b22560

          SHA256

          172e22d1b7982934227ef69ff49b819020379f0003f86216195bf3f1d1e1d4ee

          SHA512

          bddf852e7a23abf11f6cd9358934a666cc60b89415097a42c70e8d6879e83283506171560d7dc55bb3d0cc21eaaadf37b1081bedfa320d2e69035bbb01f080ec

          Download Submit
        • \??\c:\windows\system\spoolsv.exe
          Filesize

          274KB

          MD5

          e7b58958dcc5ad7b3162caffb259bd16

          SHA1

          a6cff40840af18bfab6e36a9f98be95298370453

          SHA256

          332255590c4eeda99744ca34d32ae0b788c44fe0fa347d1cefaea14aaff5ccb6

          SHA512

          c72eb88e4c57e3e5caa4d0120b6e9bcf64efea4118c754cad632bc7f727c322535a7c798ed4fdbf77f93d54fccaa8458ec0cf07810e014338026dea214932491

          Download Submit
        • \??\c:\windows\system\svchost.exe
          Filesize

          274KB

          MD5

          f656ff6aa1d0061ee3b55360d0abdc2e

          SHA1

          42c0c10c8d440d744fd2a4bd757b7d04b2f6627a

          SHA256

          afaa5fe7c441811d6464ddecad87020eb898dcb8e0b4d10f012d48e009ed769a

          SHA512

          93de5cd8257b4bcf565a7311c11b3402ff82a51a0886c1af5e19583dba19e87f6e42ab5a6ab7c5e0dd4bc77ca4f93e476e8c5ac30247636acc59f0ca5ee0dfe3

          Download Submit
        • memory/2124-142-0x0000000000000000-mapping.dmp
          Download
        • memory/2320-176-0x0000000000000000-mapping.dmp
          Download
        • memory/2596-148-0x0000000000000000-mapping.dmp
          Download
        • memory/2596-174-0x0000000000400000-0x000000000043E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/2720-179-0x0000000000000000-mapping.dmp
          Download
        • memory/3380-160-0x0000000074930000-0x0000000074EE1000-memory.dmp
          Filesize

          5.7MB

          Download
        • memory/3380-133-0x0000000000000000-mapping.dmp
          Download
        • memory/4144-173-0x0000000000400000-0x000000000043E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/4144-136-0x0000000000000000-mapping.dmp
          Download
        • memory/4148-175-0x0000000000400000-0x000000000043E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/4312-157-0x0000000000400000-0x0000000000452000-memory.dmp
          Filesize

          328KB

          Download
        • memory/4312-155-0x0000000000000000-mapping.dmp
          Download
        • memory/4432-150-0x0000000000000000-mapping.dmp
          Download
        • memory/4968-167-0x0000000000000000-mapping.dmp
          Download
        • memory/4968-172-0x0000000000400000-0x000000000043E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/4996-161-0x0000000000000000-mapping.dmp
          Download
        • memory/4996-180-0x0000000000400000-0x000000000043E000-memory.dmp
          Filesize

          248KB

          Download
        • memory/5116-178-0x0000000000000000-mapping.dmp
          Download