Overview

overview

10

Static

static

1

37096691.exe

windows7-x64

8

37096691.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    37s
  • max time network
    3s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2022 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    37096691.exe

  • Size

    1.2MB

  • MD5

    f534050fa4d9012dd54e13ce691d662e

  • SHA1

    916a083d0045e365d889164e59c039d526c44684

  • SHA256

    37096691833e6bd3112ec4ad96df261c532c32f50adef7797bb9489f9a3aea97

  • SHA512

    bb7323176acd486fd526560522a65255819bd59ac44e17d3076fcb06be2891c7accbcc8e827445db72914ee041b5880308174ab5d8de46c5a7d591ab05841141

  • SSDEEP

    24576:e+YAumA1be5ysgG12LltOOr3C1zC+GGOG4emawVl9Rg:D/eG273H+GS4XawVry

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\37096691.exe
    "C:\Users\Admin\AppData\Local\Temp\37096691.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1404
    • C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe
      "C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe" "C:\Users\Admin\AppData\Local\Temp\pmrwjoyl.au3"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3928
      • C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe
        "C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe" "C:\Users\Admin\AppData\Local\Temp\pmrwjoyl.au3"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2668

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\hxqmupa.awd
    Filesize

    295KB

    MD5

    3bc6821e034cf3e3ccbae1b6ac587ac0

    SHA1

    18625cf44ca651096eccf70f40b80f4a926c7d6b

    SHA256

    8701a011eb882515bdec111500cd5eaf8861905d000b37d1f0ba0d52cbbb7a90

    SHA512

    a898f266db894650260b78e3a8458af0649ac4e2e35658168af99c200b3fe59321d7d6567558b97967b72f6ed3ce89971c01d94f3dd9013fac6d61b808d1eeef

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\mhryt.r
    Filesize

    54KB

    MD5

    4acbb6cf122f16ceef282a935950774a

    SHA1

    d01ba39f4516f28097cc9419d497cb0d366aaae5

    SHA256

    ceb563dd9ce4af0e6b8638a62310d5345c89472792414d9a8904f537fb3b7e46

    SHA512

    bedcb8fe5cd637d82146cc94a97c3d54a94536411f4e1e37cd2db2e44d1ed377f980b1632b227ad20b4651345cc4e659edf22022c6c322af5687572555002bd0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\nyfsjhehag.exe
    Filesize

    872KB

    MD5

    c56b5f0201a3b3de53e561fe76912bfd

    SHA1

    2a4062e10a5de813f5688221dbeb3f3ff33eb417

    SHA256

    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

    SHA512

    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\pmrwjoyl.au3
    Filesize

    5KB

    MD5

    d6c9edb53c19c52ef0f4c54e62295ab9

    SHA1

    595dbcde92c6d70da21a9d946371388220529cb3

    SHA256

    82789a96aaf587382eabfba4730796be5b738ee54f24065e3dc5440b4b330f54

    SHA512

    c6edd33bd8197332c1b136ae0e16dd6860b4cce1f4a7403771850f37770fb83f1b53b8ae8bd29acfff94489729de04783afa7ab1e7023b2655be3bac0ccb438a

    Download Submit
  • memory/2668-138-0x0000000000000000-mapping.dmp
    Download
  • memory/2668-140-0x0000000000400000-0x000000000044E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/2668-141-0x0000000006840000-0x0000000006DE4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/2668-142-0x0000000006290000-0x000000000632C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/2668-143-0x0000000007A70000-0x0000000007AD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2668-144-0x0000000007CC0000-0x0000000007D10000-memory.dmp
    Filesize

    320KB

    Download
  • memory/2668-145-0x0000000007E30000-0x0000000007EC2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2668-146-0x0000000008320000-0x000000000832A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3928-132-0x0000000000000000-mapping.dmp
    Download