Overview

overview

10

Static

static

SecuriteIn...40.exe

windows7-x64

1

SecuriteIn...40.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/12/2022, 19:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.DropperX-gen.15791.8940.exe

  • Size

    10KB

  • MD5

    2ce4192b5883e49c1499d92d2ce042aa

  • SHA1

    0564d46464e21005ae43e7a0401f3d41ad9d4efb

  • SHA256

    c33167e17dfda61ea6090e2aff6ad32310313ea0e4eaf7df95bf4749b7514a4b

  • SHA512

    6c66e612227c9c6e958927a0adf9ee448d53dba9212fa30c726903a5dfb67d76628b49c7fd4ccab6897319fa78b430ee214a42c5912250f2e14e051384530851

  • SSDEEP

    192:gTElP+vRF7IPS5yYg0LeEng6DloWKP8stYcFmVc03KY:gODPS5yYgCVgrWKPptYcFmVc03K

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.cimarcochin.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Kelechikelechi1@

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.cimarcochin.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Kelechikelechi1@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.15791.8940.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.15791.8940.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4836
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.15791.8940.exe
      C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.DropperX-gen.15791.8940.exe
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2836

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.DropperX-gen.15791.8940.exe.log
          Filesize

          1KB

          MD5

          69d71014fdb9e6dcd1758f2c46e07d17

          SHA1

          5d2622a9855dc131cfe3683e791888dd8aa8cbc9

          SHA256

          1a8d4efe9e6901bb174a9c665004ac353c2fef126fdd3e08ddffacfe262fa6b4

          SHA512

          217ef49ac56d9b5c26ebd05731e18f8b9e920a1bfe8f278e2fb1cfce0c0a476a99cae69f0859c1f19926dcb9c23600c71a93f6fa69d2f0bba6bcd21dfc385df2

          Download Submit

        • memory/2836-152-0x0000000006C40000-0x0000000006C4A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2836-151-0x0000000006AC0000-0x0000000006B10000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2836-150-0x00000000053A0000-0x000000000543C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2836-148-0x0000000000400000-0x0000000000438000-memory.dmp

          Filesize

          224KB

          Download

        • memory/2976-142-0x0000000005F60000-0x0000000005FC6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2976-143-0x0000000005FD0000-0x0000000006036000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2976-144-0x00000000065F0000-0x000000000660E000-memory.dmp

          Filesize

          120KB

          Download

        • memory/2976-145-0x0000000007E40000-0x00000000084BA000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2976-146-0x0000000006AF0000-0x0000000006B0A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/2976-141-0x00000000058C0000-0x0000000005EE8000-memory.dmp

          Filesize

          6.2MB

          Download

        • memory/2976-140-0x0000000003030000-0x0000000003066000-memory.dmp

          Filesize

          216KB

          Download

        • memory/4836-135-0x0000000000020000-0x0000000000028000-memory.dmp

          Filesize

          32KB

          Download

        • memory/4836-138-0x00000000057B0000-0x00000000057D2000-memory.dmp

          Filesize

          136KB

          Download

        • memory/4836-137-0x0000000005800000-0x0000000005892000-memory.dmp

          Filesize

          584KB

          Download

        • memory/4836-136-0x0000000005CB0000-0x0000000006254000-memory.dmp

          Filesize

          5.6MB

          Download