Overview

overview

10

Static

static

1

Quote 8103639.exe

windows7-x64

10

Quote 8103639.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    99s
  • max time network
    92s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2022 14:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quote 8103639.exe

  • Size

    302KB

  • MD5

    0ac349c67a718638cfb1fe2f70d43a90

  • SHA1

    fc19b79c0090de13ec2632901b2d15f9f7d0b746

  • SHA256

    0dd53c57c72aea305d1b83fa26283f21caaa5f8263f41d84a43884fb2eb62ce3

  • SHA512

    b9c5c3e29b4ccb07ee52f3663aeac7a153c5ff0e0676d443fad612447fc1633d875ea4cb11e317e7204460c37bc8cc09d6027d2a6ee1846a8d8a1875e91d71a6

  • SSDEEP

    6144:QBn1jdkWkyxoR5LHNhYH25r9L19EeuZrp+ZRAR/r2E2XhTPldwkBdka7RuS:gCWkD3zYW5N1eem+v6d2xTPhjVT

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quote 8103639.exe
    "C:\Users\Admin\AppData\Local\Temp\Quote 8103639.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:940
    • C:\Users\Admin\AppData\Local\Temp\gtpukenup.exe
      "C:\Users\Admin\AppData\Local\Temp\gtpukenup.exe" C:\Users\Admin\AppData\Local\Temp\iuxfgcojdaj.jwu
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:296
      • C:\Users\Admin\AppData\Local\Temp\gtpukenup.exe
        "C:\Users\Admin\AppData\Local\Temp\gtpukenup.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:892

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gtpukenup.exe
    Filesize

    99KB

    MD5

    ab817969898427b78e7c714f24e4ee72

    SHA1

    7a7f40692e722849f588fd6bd1334db5309b6665

    SHA256

    fc0092d464eda6c5f734982af93676587cd49b4767c8c9b6cfe3b205ff78ca61

    SHA512

    ead8aafd928aeb3d59c0b56a85817b54d3656314772705b866922d41876c276ba44a4bbfc3e2bfa750f6f4a22992b0459e0c201a6c5676f377c2613f262ac59f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gtpukenup.exe
    Filesize

    99KB

    MD5

    ab817969898427b78e7c714f24e4ee72

    SHA1

    7a7f40692e722849f588fd6bd1334db5309b6665

    SHA256

    fc0092d464eda6c5f734982af93676587cd49b4767c8c9b6cfe3b205ff78ca61

    SHA512

    ead8aafd928aeb3d59c0b56a85817b54d3656314772705b866922d41876c276ba44a4bbfc3e2bfa750f6f4a22992b0459e0c201a6c5676f377c2613f262ac59f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\gtpukenup.exe
    Filesize

    99KB

    MD5

    ab817969898427b78e7c714f24e4ee72

    SHA1

    7a7f40692e722849f588fd6bd1334db5309b6665

    SHA256

    fc0092d464eda6c5f734982af93676587cd49b4767c8c9b6cfe3b205ff78ca61

    SHA512

    ead8aafd928aeb3d59c0b56a85817b54d3656314772705b866922d41876c276ba44a4bbfc3e2bfa750f6f4a22992b0459e0c201a6c5676f377c2613f262ac59f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\iuxfgcojdaj.jwu
    Filesize

    7KB

    MD5

    1ffe5ceb1e2b01b208746aac0d44ef55

    SHA1

    44ad982f51bf3fbbfca0e20d96f1cbde569b1b91

    SHA256

    e46d4a5f3b280f81b7189c420d8ff662cd5444256228abf4b47ce46e4bc11bdc

    SHA512

    c6adc802088deac1c2d759d9e31fdb8ea780f9c17295c3b5d8c2a35c59f4addbe870a900f1a8ae2f8d20f1a4c0bb9e7af41fdecffc1cd614a39bbccb63a350ab

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\zqipsaipv.ts
    Filesize

    274KB

    MD5

    37e33d31316dfdd06118eefc95faaadd

    SHA1

    279b43694e57b9680f408c70ed8924b20fd0a9d8

    SHA256

    28ce9a577716e7d124eb0950086d3b586cf1f7522e28bf17233bf5fbe911f4f1

    SHA512

    c9a31d45eb08c041615210572fe752ab30fbb3f4467e7ed15d80d4a2b0e501f7bf1e960c269aaa14536c9109663c8ddc151cd24cd402202bac1d8e11fcbd3ec7

    Download Submit
  • \Users\Admin\AppData\Local\Temp\gtpukenup.exe
    Filesize

    99KB

    MD5

    ab817969898427b78e7c714f24e4ee72

    SHA1

    7a7f40692e722849f588fd6bd1334db5309b6665

    SHA256

    fc0092d464eda6c5f734982af93676587cd49b4767c8c9b6cfe3b205ff78ca61

    SHA512

    ead8aafd928aeb3d59c0b56a85817b54d3656314772705b866922d41876c276ba44a4bbfc3e2bfa750f6f4a22992b0459e0c201a6c5676f377c2613f262ac59f

    Download Submit
  • \Users\Admin\AppData\Local\Temp\gtpukenup.exe
    Filesize

    99KB

    MD5

    ab817969898427b78e7c714f24e4ee72

    SHA1

    7a7f40692e722849f588fd6bd1334db5309b6665

    SHA256

    fc0092d464eda6c5f734982af93676587cd49b4767c8c9b6cfe3b205ff78ca61

    SHA512

    ead8aafd928aeb3d59c0b56a85817b54d3656314772705b866922d41876c276ba44a4bbfc3e2bfa750f6f4a22992b0459e0c201a6c5676f377c2613f262ac59f

    Download Submit
  • memory/296-56-0x0000000000000000-mapping.dmp
    Download
  • memory/892-63-0x0000000000401896-mapping.dmp
    Download
  • memory/892-66-0x0000000000550000-0x0000000000588000-memory.dmp
    Filesize

    224KB

    Download
  • memory/892-67-0x0000000000400000-0x0000000000449000-memory.dmp
    Filesize

    292KB

    Download
  • memory/940-54-0x0000000074DE1000-0x0000000074DE3000-memory.dmp
    Filesize

    8KB

    Download