Overview

overview

10

Static

static

NO120220.exe

windows7-x64

1

NO120220.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    84s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-11-2022 02:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NO120220.exe

  • Size

    9KB

  • MD5

    f957c21bba09b850253f5e234eaee672

  • SHA1

    c2d6e245c356291a4a500453555ebf6f8136519b

  • SHA256

    407845005e74c5321a626668d9bfa35f57332328e7e7ac76fd06523d90a4e20d

  • SHA512

    2844c357911bcb0f1cc5d8f9f5bc0243d7d3418dabe43429a2da8b1dc67dbd73bbcb4fc0105127d0fb4a93a2a41fbc917644ff931245cba146f78d3f8d33c5eb

  • SSDEEP

    192:NDWHDqno3KtoLmPbOw9QYYcQdi8stYcFmVc03KY:NDW+noZLmjOwIcKiptYcFmVc03K

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://192.3.223.202
  • Port:
    21
  • Username:
    ftplogs
  • Password:
    sPkZ7jK7P6aA

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NO120220.exe
    "C:\Users\Admin\AppData\Local\Temp\NO120220.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -enc UwB0AGEAcgB0AC0AUwBsAGUAZQBwACAALQBTAGUAYwBvAG4AZABzACAANQAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4656
    • C:\Users\Admin\AppData\Local\Temp\NO120220.exe
      C:\Users\Admin\AppData\Local\Temp\NO120220.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:2252

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\NO120220.exe.log
    Filesize

    1KB

    MD5

    ef95a426c7cadbe261c528f59813e6ab

    SHA1

    5edc710e2a90db2d262dd4d10d6f09d20e823007

    SHA256

    b481e9bf0515a6beb15cb252f60847275d978eba72691d5d8fa1c6a79b5cda9a

    SHA512

    53039306141608f7a606a1500f61193be16e97e53724b0d76721106c8dc7a5a8406c96019b9c32d0800d011bd2e55f46d34d2d74ed9b2661c7e006e329c45180

    Download Submit

  • memory/1232-174-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-138-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-178-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-136-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-180-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-140-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-142-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-144-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-146-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-148-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-150-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-152-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-154-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-156-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-158-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-188-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-162-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-164-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-166-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-168-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-170-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-172-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-176-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-132-0x0000000000870000-0x0000000000878000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1232-133-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-134-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-160-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-186-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-184-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-190-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-182-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-192-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-194-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-196-0x0000000008CD0000-0x0000000008D11000-memory.dmp

    Filesize

    260KB

    Download

  • memory/1232-6463-0x0000000006B90000-0x0000000006BB2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/1232-6472-0x0000000005A20000-0x0000000005AB2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1232-6473-0x000000000A060000-0x000000000A604000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2252-6480-0x0000000006FF0000-0x0000000006FFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2252-6477-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2252-6478-0x0000000005730000-0x00000000057CC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2252-6479-0x0000000006EE0000-0x0000000006F30000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4656-6465-0x0000000004650000-0x0000000004686000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4656-6466-0x0000000004E60000-0x0000000005488000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4656-6468-0x0000000005490000-0x00000000054F6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4656-6467-0x0000000004CF0000-0x0000000004D56000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4656-6469-0x0000000005BF0000-0x0000000005C0E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4656-6470-0x0000000007470000-0x0000000007AEA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4656-6471-0x00000000060F0000-0x000000000610A000-memory.dmp

    Filesize

    104KB

    Download