Overview

overview

10

Static

static

iiikkkkkk.exe

windows7-x64

10

iiikkkkkk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-01-2023 14:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    iiikkkkkk.exe

  • Size

    520KB

  • MD5

    81afd327d33943a201ec1a8f0f70c811

  • SHA1

    58be06bde949a8d19c2597a7ce34b2c5b05ed40d

  • SHA256

    1a899f1e28f14e24edb2f8f6ccaefaa0a865b3ff25fb47ca00e768bd9acbaf44

  • SHA512

    6a6da5047fdc59226e323e9369b9c5c1825290d59c1519c0d3aa4c1a70782644bb10274323610eb4d54bd9a87742900ab259d639839227aefae3cfef72f684fd

  • SSDEEP

    12288:KYakzucEkYIvjMekosOIRvTtUqq02gKD27n:KYaezEkZvjMekorIdtUhqWg

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\iiikkkkkk.exe
    "C:\Users\Admin\AppData\Local\Temp\iiikkkkkk.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Users\Admin\AppData\Local\Temp\lhvgshvj.exe
      "C:\Users\Admin\AppData\Local\Temp\lhvgshvj.exe" C:\Users\Admin\AppData\Local\Temp\zcodvckwou.gqd
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Users\Admin\AppData\Local\Temp\lhvgshvj.exe
        "C:\Users\Admin\AppData\Local\Temp\lhvgshvj.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3436

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\knczi.a
    Filesize

    257KB

    MD5

    da3cdc8253431bc1a4dc85c1f94d4ef0

    SHA1

    1f74474857e26d8c5f6c6b7eefbf2919fcbf822e

    SHA256

    3e88bfd08cd22a9a20df329229c905618a4e47637ad487577e93ae441e3ecee8

    SHA512

    7ea411be1977ff021b9a26c755c7dd5f5bf20723530093d374d4feebe1d44addcdcdaa3b2ee43ff00169113834c4c67b8dea94460f38cc6e4bf4c00f3c205bb6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lhvgshvj.exe
    Filesize

    84KB

    MD5

    e9926eac0e2abe1e4e65931df0c4e464

    SHA1

    29df505ecf8657d903ee1fccde0fa46e47be75d0

    SHA256

    059fa1568d581d7abb4f3c494494be9cadf7f867e91fb96dec92fd67d6dd62d8

    SHA512

    16c1571616c3101f7cd280225e8c7b0b70882a960b1009aaf7c403664ecaf3c6d805078e060b09f7223b92ada6b888420d5d540a8d35e23224fca1018b0694d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lhvgshvj.exe
    Filesize

    84KB

    MD5

    e9926eac0e2abe1e4e65931df0c4e464

    SHA1

    29df505ecf8657d903ee1fccde0fa46e47be75d0

    SHA256

    059fa1568d581d7abb4f3c494494be9cadf7f867e91fb96dec92fd67d6dd62d8

    SHA512

    16c1571616c3101f7cd280225e8c7b0b70882a960b1009aaf7c403664ecaf3c6d805078e060b09f7223b92ada6b888420d5d540a8d35e23224fca1018b0694d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lhvgshvj.exe
    Filesize

    84KB

    MD5

    e9926eac0e2abe1e4e65931df0c4e464

    SHA1

    29df505ecf8657d903ee1fccde0fa46e47be75d0

    SHA256

    059fa1568d581d7abb4f3c494494be9cadf7f867e91fb96dec92fd67d6dd62d8

    SHA512

    16c1571616c3101f7cd280225e8c7b0b70882a960b1009aaf7c403664ecaf3c6d805078e060b09f7223b92ada6b888420d5d540a8d35e23224fca1018b0694d1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\zcodvckwou.gqd
    Filesize

    5KB

    MD5

    3c9c816e9ca0f8356c6bfd406042cde6

    SHA1

    ac6fb443dad7659d8df1e23e74f9917ee6969b4f

    SHA256

    032431d5a1858419d327d5a4ed5992746c60b647d724e51844f2009ea63e5e25

    SHA512

    ebab34dcff47e8f127ea9840d17b8c068bca48f13bd1f9178496a654fc1cfa21c3e575538968a9744eea95ac1dbbcc6ae9fde067428affbea48b09bbf91c98fe

    Download Submit

  • memory/2660-132-0x0000000000000000-mapping.dmp

    Download

  • memory/3436-137-0x0000000000000000-mapping.dmp

    Download

  • memory/3436-139-0x0000000004AA0000-0x0000000005044000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3436-140-0x0000000000400000-0x000000000043F000-memory.dmp

    Filesize

    252KB

    Download

  • memory/3436-141-0x00000000049C0000-0x0000000004A5C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3436-142-0x00000000056E0000-0x0000000005746000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3436-143-0x0000000005CC0000-0x0000000005D52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3436-144-0x00000000060A0000-0x00000000060AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3436-145-0x0000000006160000-0x00000000061B0000-memory.dmp

    Filesize

    320KB

    Download