Overview

overview

10

Static

static

5ecf7b5740...f8.exe

windows7-x64

10

5ecf7b5740...f8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2022 11:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5ecf7b57409e0684d29b08714b8c09f8.exe

  • Size

    340KB

  • MD5

    5ecf7b57409e0684d29b08714b8c09f8

  • SHA1

    16f96d4d32722f42736b622e5783f2c22c7383a3

  • SHA256

    08faf3ebd270f39ce947726573b16c022e385830676bb73edd2e7ccaf4ac1f96

  • SHA512

    09ded1799a68eec113805832554c56a0cbc4f6dfd98c4e5e21337f74d36ed19964ed8a6225c5878923a20c4f74472510f2f7d8751d67e64fd2319a05dbf28aa1

  • SSDEEP

    6144:CDQ2EdE8FC6gW7wYzxbCIKXt3cEhon2Xvx3C9nUh1PQBjbrbh:/bDnNwYzxFKXhhs2XvxeUh1PQhbrbh

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.leonardfood.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    K@rimi95

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Drops startup file 2 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5ecf7b57409e0684d29b08714b8c09f8.exe
    "C:\Users\Admin\AppData\Local\Temp\5ecf7b57409e0684d29b08714b8c09f8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2024
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
      "Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\5ecf7b57409e0684d29b08714b8c09f8.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee%'
      2⤵
      • Drops startup file
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:580
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:544

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/544-65-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/544-66-0x0000000000435BBE-mapping.dmp

    Download

  • memory/544-70-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/544-68-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/544-63-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/544-60-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/544-61-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/544-64-0x0000000000400000-0x000000000043A000-memory.dmp

    Filesize

    232KB

    Download

  • memory/580-57-0x0000000000000000-mapping.dmp

    Download

  • memory/580-72-0x0000000070070000-0x000000007061B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/580-73-0x0000000070070000-0x000000007061B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2024-55-0x00000000005C0000-0x000000000060E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2024-54-0x0000000000B70000-0x0000000000BCE000-memory.dmp

    Filesize

    376KB

    Download

  • memory/2024-59-0x0000000000520000-0x000000000053C000-memory.dmp

    Filesize

    112KB

    Download

  • memory/2024-56-0x0000000075881000-0x0000000075883000-memory.dmp

    Filesize

    8KB

    Download