Overview

overview

10

Static

static

1

27caf0391d...8c.exe

windows7-x64

10

27caf0391d...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    170s
  • max time network
    192s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-02-2023 19:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27caf0391db69d2b2543a0172747e62a9a6e208c.exe

  • Size

    556KB

  • MD5

    b757c4ac5a46c4e9fc2cf9e924702804

  • SHA1

    27caf0391db69d2b2543a0172747e62a9a6e208c

  • SHA256

    6941a5420e23e7309cc09e6ffebf847a7c781dbbb726996a2b3d36340d347819

  • SHA512

    79cb0c6d3e2ec59f230fb221937104bd9a6890276eb1c0a8283340359380610cc8f8b3c0875b1b0e360967d50f924a9a8b4be7a2f70165927d3278f660198b36

  • SSDEEP

    12288:CYZ/txeoKFg+15c6qRUbTAg9sSBa04UtUFeJ9/TG+R:CYZ/HeoKC+1KnG9sSp4UtUcn/R

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27caf0391db69d2b2543a0172747e62a9a6e208c.exe
    "C:\Users\Admin\AppData\Local\Temp\27caf0391db69d2b2543a0172747e62a9a6e208c.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Users\Admin\AppData\Local\Temp\phqhhj.exe
      "C:\Users\Admin\AppData\Local\Temp\phqhhj.exe" C:\Users\Admin\AppData\Local\Temp\wlczo.xb
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4328
      • C:\Users\Admin\AppData\Local\Temp\phqhhj.exe
        "C:\Users\Admin\AppData\Local\Temp\phqhhj.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:232

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\phqhhj.exe
    Filesize

    332KB

    MD5

    2944001abd5735df39e6962bc0c37497

    SHA1

    4473dc8fe890aa8bf117e00e6b5fcf433352c77f

    SHA256

    0484b6558adaa6c638a4b9cc89bd485949b62f4988c29432f5b2326aa41a00b8

    SHA512

    134f92107ebfba9b9379946af618fe96e36a412fd8d94cf7b23f9b808172296b91cb6714bae2cbb343d3898954b80b657951fa644897ffa6826ad07ba664b5d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\phqhhj.exe
    Filesize

    332KB

    MD5

    2944001abd5735df39e6962bc0c37497

    SHA1

    4473dc8fe890aa8bf117e00e6b5fcf433352c77f

    SHA256

    0484b6558adaa6c638a4b9cc89bd485949b62f4988c29432f5b2326aa41a00b8

    SHA512

    134f92107ebfba9b9379946af618fe96e36a412fd8d94cf7b23f9b808172296b91cb6714bae2cbb343d3898954b80b657951fa644897ffa6826ad07ba664b5d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\phqhhj.exe
    Filesize

    332KB

    MD5

    2944001abd5735df39e6962bc0c37497

    SHA1

    4473dc8fe890aa8bf117e00e6b5fcf433352c77f

    SHA256

    0484b6558adaa6c638a4b9cc89bd485949b62f4988c29432f5b2326aa41a00b8

    SHA512

    134f92107ebfba9b9379946af618fe96e36a412fd8d94cf7b23f9b808172296b91cb6714bae2cbb343d3898954b80b657951fa644897ffa6826ad07ba664b5d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\rvewrhqjtc.ws
    Filesize

    263KB

    MD5

    703200c1820f0a7d090bb342573acffe

    SHA1

    d14a86cf92a11faa2692c113ad34306332aeee1b

    SHA256

    fabf628bb502705160b50886846b06951f50c19982d223664e518515f33ff78a

    SHA512

    010be668ca02ec30018ba02a2d70ce30db88cfdea06cb06813e546faaa6bf0b7397c9b7440dd8a5844a0210eb97cd646020a2789905b144f88a85420dfdf091e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\wlczo.xb
    Filesize

    5KB

    MD5

    069493cf50c4a4d645746c5158b1ab9c

    SHA1

    1dddb79af31ea90ce6d1d044eb8c6da422a9b715

    SHA256

    03101a83613201c1b3987f8b95aa1199246e7a7ec994de87fe988f891a1b6376

    SHA512

    2351d70da060f7704ff6302a68ba40485d6db77f7bb51d547085d6496754c694125778d6a85f2f404b34f056fa6dbb1435d82d074e5fdcab29aba9440e526a70

    Download Submit

  • memory/232-137-0x0000000000000000-mapping.dmp

    Download

  • memory/232-139-0x0000000005B70000-0x0000000006114000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/232-140-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/232-141-0x00000000055C0000-0x0000000005626000-memory.dmp

    Filesize

    408KB

    Download

  • memory/232-142-0x0000000006440000-0x00000000064D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/232-143-0x0000000006420000-0x000000000642A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/232-144-0x00000000066C0000-0x0000000006710000-memory.dmp

    Filesize

    320KB

    Download

  • memory/232-145-0x00000000068E0000-0x0000000006AA2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4328-132-0x0000000000000000-mapping.dmp

    Download