Overview

overview

10

Static

static

9

Fwd Overdu...st.exe

windows7_x64

10

Fwd Overdu...st.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    103s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-05-2022 12:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Fwd Overdue balance request.exe

  • Size

    525KB

  • MD5

    327e095912044c837cd14c4790b5b722

  • SHA1

    f2785765bf53962850454c04b2ae9a5781dad2c3

  • SHA256

    d3f1a9f5aee95facc51d611b7deeef7da85a30c028be4a3cc9cd10d0e7bf99cf

  • SHA512

    29dc2737c9111bef912736b698a83e8295201317e8a062b8ec06b72ad4b4a40a0a291406e7f50e0947eeebd236bf2ced81aaf87c954ba1b7efea39c9208a9fba

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ijeomam288

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.yandex.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ijeomam288

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla Payload 1 IoCs
  • CoreCCC Packer 1 IoCs

    Detects CoreCCC packer used to load .NET malware.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Fwd Overdue balance request.exe
    "C:\Users\Admin\AppData\Local\Temp\Fwd Overdue balance request.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4608
    • C:\Users\Admin\AppData\Local\Temp\Fwd Overdue balance request.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3136

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3136-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3136-136-0x0000000000400000-0x0000000000450000-memory.dmp
    Filesize

    320KB

    Download
  • memory/3136-137-0x00000000065B0000-0x0000000006616000-memory.dmp
    Filesize

    408KB

    Download
  • memory/3136-138-0x0000000006C00000-0x0000000006C50000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4608-130-0x0000000000860000-0x00000000008EA000-memory.dmp
    Filesize

    552KB

    Download
  • memory/4608-131-0x0000000005870000-0x0000000005E14000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4608-132-0x00000000052C0000-0x0000000005352000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4608-133-0x0000000005290000-0x000000000529A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4608-134-0x0000000007830000-0x00000000078CC000-memory.dmp
    Filesize

    624KB

    Download