Overview

overview

10

Static

static

1

f2b1dd5d70...5b.exe

windows7-x64

10

f2b1dd5d70...5b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2023 19:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f2b1dd5d709a7e606002f1b2a0cda30e07d1635b.exe

  • Size

    818KB

  • MD5

    056dbac271b4b97fac9016695f03be29

  • SHA1

    f2b1dd5d709a7e606002f1b2a0cda30e07d1635b

  • SHA256

    a67119e6131f2cf27b28044e3562d04abd86b62bcebbfa8ed7f4ecea90682f2d

  • SHA512

    6e9c26661573d89ec52e37e1c300bad30d215ffdddaddc8e1b357449c241f19e1dd19a44f14dff4d6c829efd8beeb165a03c4bcda0d853d981839ae84e727dbd

  • SSDEEP

    24576:keSqG4yPa46F0xM64kLOBLHK4FUgmaFq:ztWiFkLOBLHK4FUgm

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f2b1dd5d709a7e606002f1b2a0cda30e07d1635b.exe
    "C:\Users\Admin\AppData\Local\Temp\f2b1dd5d709a7e606002f1b2a0cda30e07d1635b.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3248
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uUnNpOcmAQf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4844
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uUnNpOcmAQf" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2380
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
        PID:4812
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3380

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp9AB9.tmp
      Filesize

      1KB

      MD5

      d19bc7f87086c3dd882441b8556095ea

      SHA1

      613f1ed4f2394d8597d429977a9441cf943c266c

      SHA256

      18acbff01e453aead79db120784eab1423a8954fb481ca57810a717c644af7a8

      SHA512

      a3822dcbb09f3a976a2aeede4490cd6048670b0c9368c87c85fd2e2d4f42f2bd779e68ed495e45eeb5d033596a05f4954d84dd5cf3bbfbee45e89dc2d13e1274

      Download Submit

    • memory/2380-138-0x0000000000000000-mapping.dmp

      Download

    • memory/3248-135-0x0000000004EB0000-0x0000000004EBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3248-132-0x0000000000440000-0x0000000000514000-memory.dmp

      Filesize

      848KB

      Download

    • memory/3248-136-0x0000000008C80000-0x0000000008D1C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3248-134-0x0000000004F20000-0x0000000004FB2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3248-133-0x0000000005430000-0x00000000059D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3380-157-0x0000000007160000-0x0000000007322000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3380-156-0x0000000006F40000-0x0000000006F90000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3380-147-0x00000000053A0000-0x0000000005406000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3380-143-0x0000000000000000-mapping.dmp

      Download

    • memory/3380-144-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4812-141-0x0000000000000000-mapping.dmp

      Download

    • memory/4844-146-0x00000000053D0000-0x0000000005436000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4844-152-0x00000000074F0000-0x0000000007B6A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4844-142-0x0000000004D30000-0x0000000005358000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4844-148-0x0000000005BA0000-0x0000000005BBE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4844-149-0x0000000006170000-0x00000000061A2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4844-150-0x0000000071400000-0x000000007144C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4844-151-0x0000000006130000-0x000000000614E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4844-145-0x0000000004BE0000-0x0000000004C02000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4844-153-0x0000000006EA0000-0x0000000006EBA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4844-154-0x0000000006F10000-0x0000000006F1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4844-155-0x0000000007120000-0x00000000071B6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4844-139-0x00000000022A0000-0x00000000022D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4844-137-0x0000000000000000-mapping.dmp

      Download

    • memory/4844-158-0x00000000070D0000-0x00000000070DE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4844-159-0x00000000071E0000-0x00000000071FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4844-160-0x00000000071C0000-0x00000000071C8000-memory.dmp

      Filesize

      32KB

      Download