Overview

overview

10

Static

static

8c0affc928...aa.exe

windows7-x64

10

8c0affc928...aa.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    131s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2023 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c0affc928dd817fa864a9211f11f89fd36701aa.exe

  • Size

    571KB

  • MD5

    95bfd4665a21e54e620676e1cef82fc2

  • SHA1

    8c0affc928dd817fa864a9211f11f89fd36701aa

  • SHA256

    915cb8994b02a7d735b230b000ee1d7797500c5c0846b24103a9ad63956cbb41

  • SHA512

    7ec7c12d4369b61a282eec87be532923f8aa2b24e24a246834030610e1d143904e25c27f1328186a2100d157eb3104e7e5ef3e20aca8c75370fdb043153d7a19

  • SSDEEP

    12288:gYziYVrBhcLnvtVsKECqKgYGT+mSziTPsJrnK4/im:gYziY9q3zcVYGTRaib0n1im

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c0affc928dd817fa864a9211f11f89fd36701aa.exe
    "C:\Users\Admin\AppData\Local\Temp\8c0affc928dd817fa864a9211f11f89fd36701aa.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2180
    • C:\Users\Admin\AppData\Local\Temp\ktuqfv.exe
      "C:\Users\Admin\AppData\Local\Temp\ktuqfv.exe" C:\Users\Admin\AppData\Local\Temp\ppsdtvlem.xob
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Users\Admin\AppData\Local\Temp\ktuqfv.exe
        "C:\Users\Admin\AppData\Local\Temp\ktuqfv.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2808

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\ktuqfv.exe
    Filesize

    52KB

    MD5

    020a5aa1ffbe44f97f3751bc8e9b2dcd

    SHA1

    1d5e2fac8571445ef89c4920e36e2fc11b2e0b3f

    SHA256

    7b20dd5061bdb757e8efbbdd4a1ce549b1a76ebcebd9ae061fc06484873c10a2

    SHA512

    bfcfb295a86e852384edf701547943ed83a28cd069965685919f3c65ce3ae7a10c7f93815c8fc3e9fbfac5aa49b562206e6f9bf79c469363a51e75b3898de2a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ktuqfv.exe
    Filesize

    52KB

    MD5

    020a5aa1ffbe44f97f3751bc8e9b2dcd

    SHA1

    1d5e2fac8571445ef89c4920e36e2fc11b2e0b3f

    SHA256

    7b20dd5061bdb757e8efbbdd4a1ce549b1a76ebcebd9ae061fc06484873c10a2

    SHA512

    bfcfb295a86e852384edf701547943ed83a28cd069965685919f3c65ce3ae7a10c7f93815c8fc3e9fbfac5aa49b562206e6f9bf79c469363a51e75b3898de2a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ktuqfv.exe
    Filesize

    52KB

    MD5

    020a5aa1ffbe44f97f3751bc8e9b2dcd

    SHA1

    1d5e2fac8571445ef89c4920e36e2fc11b2e0b3f

    SHA256

    7b20dd5061bdb757e8efbbdd4a1ce549b1a76ebcebd9ae061fc06484873c10a2

    SHA512

    bfcfb295a86e852384edf701547943ed83a28cd069965685919f3c65ce3ae7a10c7f93815c8fc3e9fbfac5aa49b562206e6f9bf79c469363a51e75b3898de2a4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ppsdtvlem.xob
    Filesize

    5KB

    MD5

    be5c5aff821434ef05427f42d5795688

    SHA1

    14b550a6c69837d660b04a697511b333d88754c4

    SHA256

    669aa058a22645ebb0e9d6f7313e6519415f7889971c067f4eb3da61621dacbf

    SHA512

    a78ec795f26035aefc3946869c61365c9369253bed9e2823822a794467be86504b31de7727fdfd98996befc0fb77d94288ffb8c16dbe785bbd9ca2ceab14b510

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tcyszkvkv.k
    Filesize

    315KB

    MD5

    20273494baf235ea75bf04836980c092

    SHA1

    112b31d4a15085857da00bfeb2e79649ae02e490

    SHA256

    672f37e6a585df40b3cd37350f4e90119719de8f1ad34aece8cc93c2ef214c05

    SHA512

    f6268fe0a1d17c918f2de934af516b0c7002c320b3e17e67434636c172a21bcadb42012ec26c806dea3f809c8dc7eb9ccb933518eaf16fa4e8b7a631e7ebc6ef

    Download Submit

  • memory/2808-137-0x0000000000000000-mapping.dmp

    Download

  • memory/2808-139-0x0000000000400000-0x000000000044E000-memory.dmp

    Filesize

    312KB

    Download

  • memory/2808-140-0x0000000004AA0000-0x0000000005044000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2808-141-0x0000000005050000-0x00000000050EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2808-142-0x00000000059A0000-0x0000000005A06000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2808-143-0x0000000005B90000-0x0000000005BE0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2808-144-0x0000000005CF0000-0x0000000005D82000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2808-145-0x00000000060A0000-0x00000000060AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3060-132-0x0000000000000000-mapping.dmp

    Download