Overview

overview

10

Static

static

1

Quote 51098672.exe

windows7-x64

10

Quote 51098672.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/11/2022, 07:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote 51098672.exe

  • Size

    491KB

  • MD5

    c12335461ad8b615c3c3e5a9eb2fc6fe

  • SHA1

    e01e2513dc5f3d9e9606cfcafc4ea2f4df6951f4

  • SHA256

    93e0b228bcdc4b79836827a3b9c8afa09c97e1b22307f51b82f4d0ca841f39c2

  • SHA512

    1602551b533aa745acccf5b2ccfc93edfe2916c5bfe332761b9b82026900c9e8d39d04ab0dcd66342e976948dbf1098adc98e17fe3ddcfd6605c2e950704a7bf

  • SSDEEP

    6144:fweEJv7p3QTwn5MCL3YT+9VrtPsG6zVLlTqB+TyFQiEW1yp2eNQFCm:yzFQTwMCMT+9VpPsU+Try0se24m

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quote 51098672.exe
    "C:\Users\Admin\AppData\Local\Temp\Quote 51098672.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1572
    • C:\Users\Admin\AppData\Local\Temp\dkvegoxfbp.exe
      "C:\Users\Admin\AppData\Local\Temp\dkvegoxfbp.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Users\Admin\AppData\Local\Temp\dkvegoxfbp.exe
        "C:\Users\Admin\AppData\Local\Temp\dkvegoxfbp.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1192

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\arlwcx.ps
    Filesize

    7KB

    MD5

    4ed1d248d179d6dfa60a58ef2eb20e7a

    SHA1

    7fab9cd54f7b063f389491e8b7d1a9d72750717b

    SHA256

    d9b3ffb095a03122d6307f4a1227d2ba161ae1d8d7497756bc5881d0fbda5bc5

    SHA512

    14e08f90497d9bf2e4f44cbf0030bbd2f843fce7fc62759ec4ca0ac353da17c4f9547e610f95855494257ae69e6c10ac426ac6d1343f8f66a0647126ada76bdb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ciysxzsp.c
    Filesize

    296KB

    MD5

    b385f41b07aeb4511765e0d56a7b334b

    SHA1

    2f7a5938bb349281dccdbdc619cee78d4269d00d

    SHA256

    428332bc46a7fcaf99a4e6ed7df6fe12f6f3942af73953df97e29dccf19e50f9

    SHA512

    475dde9a3781f3dc1132924c6236aa938454ec717ce2d652f66864290df2d52aaaf4c8fbdf8a504a27c573707b88b7b05dc949fde5e71adf3d18bff72bd88562

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dkvegoxfbp.exe
    Filesize

    5KB

    MD5

    cabde658d98b2c6b0db0124f03543b3b

    SHA1

    9ff99fcb663bd9026970892ecb8238a6e200c1ee

    SHA256

    d93721684f193337a1698c1c91411af419dd78f97150713c87cb91a92d3b008d

    SHA512

    3b08faec1bf2068b589948cd404d103c2cec0fd794da0ea0b0bea8e4518634717bee0ab2fc96042cfbec866a46f861318c60d7e00d37ddde9839aca2bb9f89c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dkvegoxfbp.exe
    Filesize

    5KB

    MD5

    cabde658d98b2c6b0db0124f03543b3b

    SHA1

    9ff99fcb663bd9026970892ecb8238a6e200c1ee

    SHA256

    d93721684f193337a1698c1c91411af419dd78f97150713c87cb91a92d3b008d

    SHA512

    3b08faec1bf2068b589948cd404d103c2cec0fd794da0ea0b0bea8e4518634717bee0ab2fc96042cfbec866a46f861318c60d7e00d37ddde9839aca2bb9f89c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dkvegoxfbp.exe
    Filesize

    5KB

    MD5

    cabde658d98b2c6b0db0124f03543b3b

    SHA1

    9ff99fcb663bd9026970892ecb8238a6e200c1ee

    SHA256

    d93721684f193337a1698c1c91411af419dd78f97150713c87cb91a92d3b008d

    SHA512

    3b08faec1bf2068b589948cd404d103c2cec0fd794da0ea0b0bea8e4518634717bee0ab2fc96042cfbec866a46f861318c60d7e00d37ddde9839aca2bb9f89c4

    Download Submit

  • memory/1192-139-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/1192-140-0x00000000049A0000-0x0000000004F44000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1192-141-0x0000000004FC0000-0x000000000505C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1192-142-0x00000000059A0000-0x0000000005A06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1192-143-0x0000000006250000-0x00000000062A0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1192-144-0x0000000006350000-0x00000000063E2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1192-145-0x00000000065F0000-0x00000000065FA000-memory.dmp

    Filesize

    40KB

    Download