Overview

overview

10

Static

static

5

PO20201.exe

windows7_x64

10

PO20201.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO20201.exe

  • Size

    1.6MB

  • MD5

    144ef7cef25ba3310000ddb81ec5192c

  • SHA1

    b1ab1c5509afb2fda7cf8de4df971ec24ae48e49

  • SHA256

    ef198e1bc193d5b0e033b27059f10e3ae7a5b696f2157bda94d765cc353d6952

  • SHA512

    343cbb325758832b4f7a683fe28aad451f790c450e1ec49e57ca3c71c57ae15b825b878ca2db923070fc8cfe7c97b8104da80eda2e5bcc732a83bd934f1d11fa

Score
10/10
agentteslacollectionevasionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.durainteriordesign.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    successman12

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • Disables Task Manager via registry modification
    evasion
  • Drops file in Drivers directory 2 IoCs
  • Drops startup file 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Suspicious use of SetThreadContext 2 IoCs
  • Program crash 2 IoCs
  • Modifies registry key 1 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO20201.exe
    "C:\Users\Admin\AppData\Local\Temp\PO20201.exe"
    1⤵
    • Drops startup file
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
      2⤵
      • Drops file in Drivers directory
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3540
      • C:\Windows\SysWOW64\REG.exe
        REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        3⤵
        • Modifies registry key
        PID:1680
      • C:\Windows\SysWOW64\netsh.exe
        "netsh" wlan show profile
        3⤵
          PID:3932
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3540 -s 1504
          3⤵
          • Program crash
          PID:3852
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"
        2⤵
        • Drops file in Drivers directory
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        • outlook_office_path
        • outlook_win_path
        PID:744
        • C:\Windows\SysWOW64\REG.exe
          REG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
          3⤵
          • Modifies registry key
          PID:4084
        • C:\Windows\SysWOW64\netsh.exe
          "netsh" wlan show profile
          3⤵
            PID:3268
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 744 -s 1492
            3⤵
            • Program crash
            PID:792
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 208 -p 3540 -ip 3540
        1⤵
          PID:4024
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 744 -ip 744
          1⤵
            PID:2300

          Network

          MITRE ATT&CK Matrix ATT&CK v6

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Lateral Movement

          Collection

          Email Collection

          1
          T1114

          Exfiltration

          Command and Control

          Impact

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Windows\system32\drivers\etc\hosts
            Filesize

            846B

            MD5

            5b2d17233558878a82ee464d04f58b59

            SHA1

            47ebffcad0b4c358df0d6a06ef335cb6aab0ab20

            SHA256

            5b036588bb4cad3de01dd04988af705da135d9f394755080cf9941444c09a542

            SHA512

            d2aec9779eb8803514213a8e396b2f7c0b4a6f57de1ee84e9db0343ee5ff093e26bb70e0737a6681e21e88898ef5139969ff0b4b700cb6727979bd898fdbc85b

            Download Submit
          • memory/744-145-0x0000000000000000-mapping.dmp
            Download
          • memory/1680-142-0x0000000000000000-mapping.dmp
            Download
          • memory/2272-130-0x0000000003830000-0x00000000038C8000-memory.dmp
            Filesize

            608KB

            Download
          • memory/2272-131-0x0000000004C90000-0x0000000004D28000-memory.dmp
            Filesize

            608KB

            Download
          • memory/3268-153-0x0000000000000000-mapping.dmp
            Download
          • memory/3540-140-0x0000000005B90000-0x0000000005C2C000-memory.dmp
            Filesize

            624KB

            Download
          • memory/3540-141-0x00000000068A0000-0x0000000006906000-memory.dmp
            Filesize

            408KB

            Download
          • memory/3540-139-0x00000000059D0000-0x0000000005A62000-memory.dmp
            Filesize

            584KB

            Download
          • memory/3540-144-0x00000000016B0000-0x0000000001700000-memory.dmp
            Filesize

            320KB

            Download
          • memory/3540-138-0x0000000006140000-0x00000000066E4000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/3540-133-0x0000000000400000-0x0000000000452000-memory.dmp
            Filesize

            328KB

            Download
          • memory/3540-132-0x0000000000000000-mapping.dmp
            Download
          • memory/3932-143-0x0000000000000000-mapping.dmp
            Download
          • memory/4084-152-0x0000000000000000-mapping.dmp
            Download