Overview

overview

10

Static

static

1

MT103 USD36k_pdf.exe

windows7-x64

10

MT103 USD36k_pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    74s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MT103 USD36k_pdf.exe

  • Size

    300KB

  • MD5

    67060e229fd001baaf2ff8e36f435f0f

  • SHA1

    e8fa3767b8cc7df3c58e04ffb77ba49ca0d65210

  • SHA256

    3715a1b3671a7526ba34a708a617c353c27380d255b6a74493978ded978e01b0

  • SHA512

    38ea3c2ed47ae45062b6239c1812616479fefe957f93b60281431d5aff6272fa7948b0bc77149ae2195ccf2abb2171e99731d68e06bf990ebbb9aa18a49c5086

  • SSDEEP

    6144:BBnvBRhD9wLIp/s6usl9aAh3RhB0QbsIABuwVeWK:35aes6ft3Rhp7ABuwVe7

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MT103 USD36k_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\MT103 USD36k_pdf.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1360
    • C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe
      "C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe" C:\Users\Admin\AppData\Local\Temp\dbxqmw.qr
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1772
      • C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe
        "C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe" C:\Users\Admin\AppData\Local\Temp\dbxqmw.qr
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:688

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\dbxqmw.qr
    Filesize

    5KB

    MD5

    7352ef7b4a7ec98455c90e22d4c588aa

    SHA1

    aaab92935902c828e9d111722c35254571620dbd

    SHA256

    cc1d09769d2f707e2dd54f2dd58658f58eb32634d8bc197aa86ec24aa6bb1194

    SHA512

    90eb1e5b027aef8be4492c71d43f2c0bfdb722881f90c06598f904b42c86df513bc3016f2cebb3bebd8ab17e861c4f87d14dc4941167f5e6fd3a84d0697d571e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe
    Filesize

    37KB

    MD5

    24c602d3c445c8070cdd067b12415981

    SHA1

    0bd8ecfd615b9627034e0bbd91ce76a6f8a69797

    SHA256

    436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23

    SHA512

    cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe
    Filesize

    37KB

    MD5

    24c602d3c445c8070cdd067b12415981

    SHA1

    0bd8ecfd615b9627034e0bbd91ce76a6f8a69797

    SHA256

    436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23

    SHA512

    cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe
    Filesize

    37KB

    MD5

    24c602d3c445c8070cdd067b12415981

    SHA1

    0bd8ecfd615b9627034e0bbd91ce76a6f8a69797

    SHA256

    436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23

    SHA512

    cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xbrzayesyy.l
    Filesize

    273KB

    MD5

    27ddad24acda2f46f8fcc9d625b90085

    SHA1

    9ce96fe713d1cd3900624bbe286543c5c2ef62c5

    SHA256

    17bbd12b77b9ae1928b314958f2bcb639759cf6be3e9137baa0b92f4aedb7765

    SHA512

    71a0e948101e5fcc9d93559c41bfd8cc0d38bbed9fd23cafd8a469ab826843f22b9b644a86279fc493b6885449098e9972ac622e32703db0645abdf5c238044b

    Download Submit
  • \Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe
    Filesize

    37KB

    MD5

    24c602d3c445c8070cdd067b12415981

    SHA1

    0bd8ecfd615b9627034e0bbd91ce76a6f8a69797

    SHA256

    436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23

    SHA512

    cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee

    Download Submit
  • \Users\Admin\AppData\Local\Temp\kfeasmzfnj.exe
    Filesize

    37KB

    MD5

    24c602d3c445c8070cdd067b12415981

    SHA1

    0bd8ecfd615b9627034e0bbd91ce76a6f8a69797

    SHA256

    436e500579780305bfcb485024dc2e9dfaea7839f8e61ea3757c9526dcd18c23

    SHA512

    cf38c523550e7be1b29f72ce640be3e7a0c7ecfc2ec270743a31a631391edebe25546efb56c140b07260643bd7d98372f1e9eeb290f9fb89262108eeabc3afee

    Download Submit
  • memory/688-63-0x0000000000401896-mapping.dmp
    Download
  • memory/688-66-0x0000000000850000-0x0000000000888000-memory.dmp
    Filesize

    224KB

    Download
  • memory/688-67-0x0000000000400000-0x0000000000448000-memory.dmp
    Filesize

    288KB

    Download
  • memory/1360-54-0x00000000766F1000-0x00000000766F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1772-56-0x0000000000000000-mapping.dmp
    Download