Overview

overview

10

Static

static

8e8034b9c6...a4.exe

windows7-x64

10

8e8034b9c6...a4.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    25-11-2022 09:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8e8034b9c6ed02a4ab3c376ac7613a566157966d47c6c37751e91efe485b87a4.exe

  • Size

    473KB

  • MD5

    65e25b26430cd065f47e0eaeb701c5ae

  • SHA1

    5d876b1e37abd2f0fb8d9fb6f05ec7b6d94ba66b

  • SHA256

    8e8034b9c6ed02a4ab3c376ac7613a566157966d47c6c37751e91efe485b87a4

  • SHA512

    d492cd78a681c1f58427c3c7968736e610aff84262facdfddc274cebcb6424231f682e45fbaa3204144b1af7c0f4d65f6f9e1c0a6b7db752fa73913a20a099c8

  • SSDEEP

    12288:Ifw7oJOgjW0B0flg9HC/R5Vy5PIU4M+iobgrvCiSLlRO28:Ifwj/R5Vy5JF+2GtJRc

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.privateemail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    enugu222

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 6 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8e8034b9c6ed02a4ab3c376ac7613a566157966d47c6c37751e91efe485b87a4.exe
    "C:\Users\Admin\AppData\Local\Temp\8e8034b9c6ed02a4ab3c376ac7613a566157966d47c6c37751e91efe485b87a4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Users\Admin\AppData\Local\Temp\8e8034b9c6ed02a4ab3c376ac7613a566157966d47c6c37751e91efe485b87a4.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1352-58-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1352-59-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1352-61-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1352-62-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1352-63-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1352-64-0x000000000043760E-mapping.dmp

    Download

  • memory/1352-66-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1352-68-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2016-54-0x0000000000160000-0x00000000001DE000-memory.dmp

    Filesize

    504KB

    Download

  • memory/2016-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2016-56-0x00000000003A0000-0x00000000003A8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2016-57-0x0000000003FF0000-0x0000000004060000-memory.dmp

    Filesize

    448KB

    Download