Overview

overview

10

Static

static

10

mannzx.exe

windows7_x64

10

mannzx.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    180s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    22-05-2022 05:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mannzx.exe

  • Size

    209KB

  • MD5

    82cb6d0f9e2223211e36f191b987d0a0

  • SHA1

    d0abcf0a271d5b1599e52ed6767ed56a9197a4b4

  • SHA256

    9bada767c10c932126025f285f82aa13cefe16334ddc888ffdacc68ea90ea2b0

  • SHA512

    1cbf5941a8694f614919e3a5b08ca668ee849fc97df8819393b864e130676f5f365aa1056e840d83ecf67386e69420a647e6dac086c27611680af630387a2919

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealersuricatatrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.adesgroup.co
  • Port:
    21
  • Username:
    ygnation@adesgroup.co
  • Password:
    e7ImUq+2Sgd&

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.adesgroup.co/
  • Port:
    21
  • Username:
    ygnation@adesgroup.co
  • Password:
    e7ImUq+2Sgd&

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • suricata: ET MALWARE AgentTesla Exfil via FTP

    suricata: ET MALWARE AgentTesla Exfil via FTP

    suricata
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mannzx.exe
    "C:\Users\Admin\AppData\Local\Temp\mannzx.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • outlook_office_path
    • outlook_win_path
    PID:4308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4308-130-0x00000000004A0000-0x00000000004DA000-memory.dmp
    Filesize

    232KB

    Download
  • memory/4308-131-0x00000000055C0000-0x0000000005B64000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4308-132-0x0000000004EE0000-0x0000000004F7C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4308-133-0x0000000005B70000-0x0000000005BD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4308-134-0x0000000006170000-0x00000000061C0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4308-135-0x0000000006870000-0x0000000006902000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4308-136-0x0000000006930000-0x000000000693A000-memory.dmp
    Filesize

    40KB

    Download