Overview

overview

10

Static

static

ez.ps1

windows7-x64

1

ez.ps1

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    164s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 18:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ez.ps1

  • Size

    424KB

  • MD5

    79e5aa477b91037f411652199fec4b47

  • SHA1

    4d68ed5dd420f2ac0a8b3a1f0f5ec33f2c605bf3

  • SHA256

    cb94129961f8d8a26ce13e84d199ea1733057adea3c0754abcf7310fa03443d4

  • SHA512

    d4dd01b5935d210437d33b4a01417dd05328eb4999e0ea325ac4bced2fc63ee2679f67979bff76cb790f3d8a21604edc4d83caf13b65f5448026198a78cbee21

  • SSDEEP

    6144:omGppOv8jvOtF7GryCNV81Q7NA4S6DCICQupftzJgEReLxqs2tZ4+:omE2c2tF7XCXRNNJfyftzJgyelqsH+

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.leonardfood.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    K@rimi95

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\ez.ps1
    1⤵
    • Blocklisted process makes network request
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
      2⤵
        PID:4840
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:4832

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3212-132-0x00000173359B0000-0x00000173359D2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3212-133-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3212-134-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3212-137-0x00007FF883FC0000-0x00007FF884A81000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4832-135-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/4832-136-0x0000000000435BBE-mapping.dmp

      Download

    • memory/4832-138-0x00000000057F0000-0x0000000005D94000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4832-139-0x0000000005120000-0x00000000051BC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4832-140-0x0000000005EA0000-0x0000000005F06000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4832-141-0x00000000064E0000-0x0000000006530000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4832-142-0x00000000066D0000-0x0000000006762000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4832-143-0x0000000006630000-0x000000000663A000-memory.dmp

      Filesize

      40KB

      Download