Overview

overview

10

Static

static

MAERSK KLE...49.exe

windows7_x64

10

MAERSK KLE...49.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 11:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MAERSK KLEVEN V.949.exe

  • Size

    3.9MB

  • MD5

    21eda5c3a9b012e0ae18f446da1b9eeb

  • SHA1

    0b01392f53c0fe65952495ba14af70420d2c5853

  • SHA256

    f1f8cbfc6921ce73c2c3668b2fded2a1bdb3cf8d5434f23090840115188fd7b9

  • SHA512

    74ae6555b9329bc549bd686f9d861b2d09bf0030b07a1289801bef239751c770fcb3ef729e6bcf724f32a6869893bb119480d3680e78b6be5bccc770bf517c18

Score
10/10
agentteslacollectionevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.gammavilla.org
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    county2018

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Modifies Windows Defender Real-time Protection settings 3 TTPs
    evasiontrojan
  • AgentTesla Payload 1 IoCs
  • Drops startup file 2 IoCs
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MAERSK KLEVEN V.949.exe
    "C:\Users\Admin\AppData\Local\Temp\MAERSK KLEVEN V.949.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Drops startup file
    • Windows security modification
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3656
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4804

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Winlogon Helper DLL

1
T1004

Modify Existing Service

1
T1031

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Disabling Security Tools

2
T1089

Credential Access

Discovery

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2736-130-0x0000000000D80000-0x0000000001174000-memory.dmp
    Filesize

    4.0MB

    Download
  • memory/2736-131-0x0000000005AA0000-0x0000000005B3C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2736-132-0x0000000006160000-0x0000000006704000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3656-133-0x0000000000000000-mapping.dmp
    Download
  • memory/3656-134-0x0000000002540000-0x0000000002576000-memory.dmp
    Filesize

    216KB

    Download
  • memory/3656-135-0x0000000005010000-0x0000000005638000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/3656-136-0x0000000004FB0000-0x0000000004FD2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3656-137-0x0000000005770000-0x00000000057D6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3656-138-0x0000000005850000-0x00000000058B6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3656-139-0x0000000005E70000-0x0000000005E8E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3656-140-0x0000000007020000-0x0000000007052000-memory.dmp
    Filesize

    200KB

    Download
  • memory/3656-141-0x0000000071120000-0x000000007116C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/3656-142-0x0000000006FE0000-0x0000000006FFE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/3656-143-0x00000000077C0000-0x0000000007E3A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/3656-144-0x0000000007170000-0x000000000718A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3656-145-0x00000000071E0000-0x00000000071EA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3656-146-0x00000000073F0000-0x0000000007486000-memory.dmp
    Filesize

    600KB

    Download
  • memory/3656-147-0x00000000073B0000-0x00000000073BE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3656-148-0x00000000074C0000-0x00000000074DA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/3656-149-0x00000000074A0000-0x00000000074A8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4804-150-0x0000000000000000-mapping.dmp
    Download
  • memory/4804-151-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/4804-152-0x0000000004F70000-0x0000000005002000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4804-153-0x0000000006270000-0x00000000062C0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4804-154-0x0000000006220000-0x000000000622A000-memory.dmp
    Filesize

    40KB

    Download