Overview

overview

10

Static

static

IMG17613.exe

windows7-x64

10

IMG17613.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2022 17:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG17613.exe

  • Size

    1.2MB

  • MD5

    bcd50df1014ab4d7c735c6e5347c3a1e

  • SHA1

    8e77d53b6388116cafcf49d3b2777ca1dcfe0d1a

  • SHA256

    2e64e9db47d38ba509cdd4ca9b9ca2a589c9834ac2bde1d8a6e4ea89bbc47fa6

  • SHA512

    04194528a02dd65810500977b1326c33bb57d716f72b78c128ff865223271a4543d0ef4d69fd2c3b3a8e8195391d2374c81ddf517d55b76e790d49aab10cdaed

  • SSDEEP

    24576:pAOcZT+NxxX3ENpR8SlcRDC14DS8BaCZ73QqQ5SOb2eYzf:DRQYSlcNNS8BBbJNzf

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMG17613.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG17613.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1164
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\3_26\osjutmj.vbe"
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Users\Admin\AppData\Local\Temp\3_26\nruluikqa.exe
        "C:\Users\Admin\AppData\Local\Temp\3_26\nruluikqa.exe" fbjdqgwu.ktp
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"
          4⤵
          • Executes dropped EXE
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • outlook_office_path
          • outlook_win_path
          PID:4900

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\3_26\fbjdqgwu.ktp
    Filesize

    167.5MB

    MD5

    6401a6dcb3aeaa5afa29bdd81792ecc2

    SHA1

    fec29cf91bdb766f2509c856ad76be13d1c79d88

    SHA256

    55d164c14921cc946afc39d537e881ead2c35a111a938d23898ee70296dc8a4e

    SHA512

    e74a1f50b6ff951e4dfcbdf30d8da537107bf2b8a4d70346e6f4a0b716d11e61687e7b91352916694fddf737f8819a2575cdcd71f213a4bcf9381a4d19b2a819

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3_26\gamdisqvxt.log
    Filesize

    50KB

    MD5

    74e7d9c4151845a85593f721021d2058

    SHA1

    13eca87a11be1fd9f3a35365ddd771b912462b6b

    SHA256

    9e6d9f29ef6c6edae6d11a44e3315f94c5c350a64511a5d5af3bffebceff18c0

    SHA512

    7aef27808bdd598c797fa26c2ce602d4c601a72c2713b9b476e8f56e087819097747e3b2a54b59c5f57e496ec9ff2687d80675a91076af9ae369a629b993df65

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3_26\nruluikqa.exe
    Filesize

    1.4MB

    MD5

    be509bf8276f9126a33cfd4ae96af87d

    SHA1

    d01e9c048f3d444d1d393a245350473ac1e0ad45

    SHA256

    7f8bfd84ab6926d49cd8257358ac342f9d0a4709a391279f8d51f1d97e092e99

    SHA512

    0ac438ed1aba56c9633225e0966f6e1c4f94c756bc6dcea9dc8ceae8a690b66f399f08fc32f40539f7f454dce8a15f7ee87fc3f9be3e68f9bed1b84a4bd6139c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3_26\nruluikqa.exe
    Filesize

    1.4MB

    MD5

    be509bf8276f9126a33cfd4ae96af87d

    SHA1

    d01e9c048f3d444d1d393a245350473ac1e0ad45

    SHA256

    7f8bfd84ab6926d49cd8257358ac342f9d0a4709a391279f8d51f1d97e092e99

    SHA512

    0ac438ed1aba56c9633225e0966f6e1c4f94c756bc6dcea9dc8ceae8a690b66f399f08fc32f40539f7f454dce8a15f7ee87fc3f9be3e68f9bed1b84a4bd6139c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\3_26\qrfac.lme
    Filesize

    436KB

    MD5

    6538dcf07b2fd6ca5a1f0c05e47098d5

    SHA1

    466c428cb4343d9ed8d2f0812f3faa280f770077

    SHA256

    1eeb1df648e7d5bdce0c85053607386c5a5c87c91e9291dd129965cbf4488b67

    SHA512

    44c496c86b66ebc83c34e2c12fe1449aaff07273e1353cb07fc4e7e2cfee42f96c099483b27981e3df25ed616a9d32cb5686b24b085dcd7db97d3874e856ff02

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe
    Filesize

    44KB

    MD5

    9d352bc46709f0cb5ec974633a0c3c94

    SHA1

    1969771b2f022f9a86d77ac4d4d239becdf08d07

    SHA256

    2c1eeb7097023c784c2bd040a2005a5070ed6f3a4abf13929377a9e39fab1390

    SHA512

    13c714244ec56beeb202279e4109d59c2a43c3cf29f90a374a751c04fd472b45228ca5a0178f41109ed863dbd34e0879e4a21f5e38ae3d89559c57e6be990a9b

    Download Submit

  • C:\Users\Admin\AppData\Local\temp\3_26\osjutmj.vbe
    Filesize

    33KB

    MD5

    02f84dc637aa9058d08a27671ab7a579

    SHA1

    036ce5094c6f30adf5167768f15debb4be8f367c

    SHA256

    04675271a055112e6d3427da8d17c547110e9ea8d24b6b4414ec87a82455f53e

    SHA512

    cfd316dcea9f783ef4f9611320295d6f32cab7bbb69e68c14ea12bc710af2cd6687ee0dc494fb3940250728ea76c0d5cf164d937944be324ef9cf6ab9f7d1398

    Download Submit

  • memory/4900-140-0x0000000000420000-0x0000000000A34000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4900-144-0x0000000000420000-0x000000000045C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4900-145-0x0000000005730000-0x0000000005CD4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4900-146-0x00000000052A0000-0x000000000533C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4900-147-0x00000000056B0000-0x0000000005716000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4900-148-0x0000000006700000-0x0000000006750000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4900-149-0x0000000006870000-0x0000000006902000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4900-150-0x0000000006B60000-0x0000000006B6A000-memory.dmp

    Filesize

    40KB

    Download