Overview

overview

10

Static

static

4a67c4d108...de.exe

windows7-x64

10

4a67c4d108...de.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    87s
  • max time network
    59s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a67c4d108b728eba8ce589844dc6fde.exe

  • Size

    839KB

  • MD5

    4a67c4d108b728eba8ce589844dc6fde

  • SHA1

    b73b519e39ec1170ce7a7463e45da3966c7f5b90

  • SHA256

    7c84afbd1d85d46654f72829812a1f2eb3cee52899e39d7bc54be3a4c8fe45d8

  • SHA512

    b45c804176d611b8f4fc1ba8fdd98442a42780ed276aa93c4c6a0ed54bec03e6f3060fbc18a75cfa1ea2be6ed27aafb7afbf56ea6a718b7f19418c9dc2e41a95

  • SSDEEP

    12288:+cKjmaOffpam/YtdX/VvFXQMiql8M1IJyP5yAXe3HmDtgKZ/nXt7virmWhlGLaQ1:Vg+pB/iN/V3DqSlYHmD

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.gmail.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    hnxqezadblabdsss

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a67c4d108b728eba8ce589844dc6fde.exe
    "C:\Users\Admin\AppData\Local\Temp\4a67c4d108b728eba8ce589844dc6fde.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1528
    • C:\Users\Admin\AppData\Local\Temp\4a67c4d108b728eba8ce589844dc6fde.exe
      "C:\Users\Admin\AppData\Local\Temp\4a67c4d108b728eba8ce589844dc6fde.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1528-54-0x0000000000E30000-0x0000000000F08000-memory.dmp
    Filesize

    864KB

    Download
  • memory/1528-55-0x0000000075021000-0x0000000075023000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1528-56-0x00000000005A0000-0x00000000005B6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1528-57-0x0000000000670000-0x000000000067E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1528-58-0x0000000005180000-0x00000000051FE000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1528-59-0x0000000004310000-0x0000000004354000-memory.dmp
    Filesize

    272KB

    Download
  • memory/2020-60-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2020-61-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2020-63-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2020-64-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2020-65-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2020-66-0x000000000043249E-mapping.dmp
    Download
  • memory/2020-68-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2020-70-0x0000000000400000-0x0000000000438000-memory.dmp
    Filesize

    224KB

    Download