Overview

overview

10

Static

static

SecuriteIn...87.exe

windows7-x64

10

SecuriteIn...87.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 09:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.PackedNET.389.18504.12187.exe

  • Size

    1.0MB

  • MD5

    04c98950018270a3b6af1ee59f898249

  • SHA1

    053fb64b3a1777a50ede9c8c9586e3274c33d9b1

  • SHA256

    cb5a09fbb8c760f829a4b474f381b32a3ae68ec6e82c6b3d2fd8d2ef38b40d61

  • SHA512

    d8e26a1cca564d3de95477506b934e9b965ce057f4090c41a843c5a6f853bb2fe26791f8a5cf453daa55ad19f8e21f60cde13692890c1373818180041bc33fae

  • SSDEEP

    12288:vdbgh/RImD9Cm2CYSlX+PXvpkJqeZsaUhaqCDfsCchGkgrfcdocTS0Rt2:vdgh/ymUJCzBkvISFmkCc9ef2+2t

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.18504.12187.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.18504.12187.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\JEDHCqGSV.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2020
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JEDHCqGSV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2C8.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1112
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.18504.12187.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.18504.12187.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:820

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF2C8.tmp
    Filesize

    1KB

    MD5

    d3f96160e8706704b7f8b343bb3ead78

    SHA1

    4b1a6f5c5fca34ce9a1c4e942b57c33434bd0d20

    SHA256

    0aebb8e7e8bce6d1a236bf06c6b6ef46ddc0b8cb1d412ef5b07265bdcb813ec9

    SHA512

    d02210835385564c641367ad648b0de0b5c7f4f582006e1bcc82c78a850e592e0b023ea1f6809b4cf38912547225e481b11165eb87acefe4a24df360a6b865ed

    Download Submit

  • memory/820-65-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/820-74-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/820-72-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/820-70-0x0000000000437C4E-mapping.dmp

    Download

  • memory/820-69-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/820-68-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/820-67-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/820-64-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1112-60-0x0000000000000000-mapping.dmp

    Download

  • memory/1324-58-0x0000000007EB0000-0x0000000007F46000-memory.dmp

    Filesize

    600KB

    Download

  • memory/1324-63-0x0000000008020000-0x000000000807E000-memory.dmp

    Filesize

    376KB

    Download

  • memory/1324-54-0x0000000001330000-0x000000000143E000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1324-57-0x0000000000940000-0x000000000094E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/1324-56-0x0000000000930000-0x0000000000946000-memory.dmp

    Filesize

    88KB

    Download

  • memory/1324-55-0x0000000075AC1000-0x0000000075AC3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2020-59-0x0000000000000000-mapping.dmp

    Download

  • memory/2020-76-0x000000006E300000-0x000000006E8AB000-memory.dmp

    Filesize

    5.7MB

    Download