Overview

overview

10

Static

static

DHL Air wa...CR.exe

windows7-x64

10

DHL Air wa...CR.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    205s
  • max time network
    210s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2022 16:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHL Air waybill.SCR.exe

  • Size

    801KB

  • MD5

    beb27d2d76a11793bd4f7cb8c3cec343

  • SHA1

    3fcfe3b2be699e78f1bcd4136499d805191d76b4

  • SHA256

    3b17be70fb201b2352f0a5d5a2b4f783e18350a13628b96c80c3d4e8c1fdd0b5

  • SHA512

    2d85f07698b9b2c3e2de47e8182bb0e227c7daebf56611cf38cd665df0510adde4c984414d54961c9db7a033ab388a2aa471db7bff30eeb5d96e4c4b3f34f99c

  • SSDEEP

    12288:iwBoY9FDutOg6duUKLo7BkvKpDeSp+7732pQlS3WWu41rXSQTlrOBZ3wIQTIddpn:rIvKpKSpgTMFioJOFigEa3zQtmAI

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5303328165:AAF7HxnjN67EBIegVs-MwZqBsR_i0699CXE/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHL Air waybill.SCR.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Air waybill.SCR.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2284
    • C:\Users\Admin\AppData\Local\Temp\DHL Air waybill.SCR.exe
      "C:\Users\Admin\AppData\Local\Temp\DHL Air waybill.SCR.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3200

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DHL Air waybill.SCR.exe.log
    Filesize

    617B

    MD5

    85306571e7ae6002dd2a0fb3042b7472

    SHA1

    c897ab7434b118a8ec1fe25205903f5ec8f71241

    SHA256

    40c98b01052cd95102701b71b4fbe0eda48537435898c413239f5f888a614253

    SHA512

    0e9853dab46fd5f6f9eea44377d3802e9cc2fff7ba2f9b45c7c8fc37b860ad9c3c4beb6e1572c87964e06144504210e29038cb03e00c7e7af6ad32e6e995c76a

    Download Submit

  • memory/2284-132-0x0000000000E80000-0x0000000000F4E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/2284-133-0x0000000005C20000-0x0000000005CBC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2284-134-0x0000000006470000-0x0000000006A14000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3200-135-0x0000000000000000-mapping.dmp

    Download

  • memory/3200-136-0x0000000000400000-0x000000000046C000-memory.dmp

    Filesize

    432KB

    Download

  • memory/3200-138-0x0000000006120000-0x0000000006186000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3200-139-0x00000000064B0000-0x0000000006500000-memory.dmp

    Filesize

    320KB

    Download