Overview

overview

10

Static

static

TEKLİFLER.exe

windows7-x64

10

TEKLİFLER.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06/01/2023, 13:44

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    TEKLİFLER.exe

  • Size

    1.2MB

  • MD5

    e63878622fa749f981623fceb3b1600b

  • SHA1

    3ff8939c94546c715bde6877063e90208e9ad458

  • SHA256

    a7555fbbb59c9e063dfa6b392af01c02f1d23679e53882fc1cb6d3a432330c50

  • SHA512

    019a6088e70d38fe3813cc027fa5d5dd96a447c202af432fe3e8591198b9d304430e20745b1fd7370ba0b40da552b141fd46463bd246080c21c9cb534a0454d5

  • SSDEEP

    12288:DnNzHAHb2cIJ+NTF5EurHyHZdZKVixEYeoV+plXyjVG/ZsMQ1im8WyT46zg79ubJ:pzHwfOELfZhbNYTl8jcSowIQ

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.electrobist.com
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    _~2cvNdh{X=8

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TEKLİFLER.exe
    "C:\Users\Admin\AppData\Local\Temp\TEKLİFLER.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
      2⤵
        PID:1100
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
        2⤵
          PID:944
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1140
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 304
            3⤵
            • Program crash
            PID:624

      Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/1140-56-0x0000000000400000-0x0000000000432000-memory.dmp

              Filesize

              200KB

              Download

            • memory/1140-58-0x00000000767C1000-0x00000000767C3000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1736-54-0x0000000001220000-0x0000000001358000-memory.dmp

              Filesize

              1.2MB

              Download

            • memory/1736-55-0x00000000006B0000-0x0000000000720000-memory.dmp

              Filesize

              448KB

              Download