Overview

overview

10

Static

static

1

3736a32db4...b8.exe

windows7-x64

10

3736a32db4...b8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    126s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2023, 01:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    3736a32db47acc255fcf48ecbc756e24eecd93fe5d5b3267d5c4c1eca68430b8.exe

  • Size

    324KB

  • MD5

    7513d92dd73d9db3285bed20b2ea8bda

  • SHA1

    8039c0a3b570da6b29c3ca0bc9d5803bf46e7bc9

  • SHA256

    3736a32db47acc255fcf48ecbc756e24eecd93fe5d5b3267d5c4c1eca68430b8

  • SHA512

    c7dd36c252107e5b0954dc32e439092248533600c9bb1fd12406c5b24bc3eadbd6a5efbb1a1938a260b857c94cd6c7dd4bb824373de9c5376b4f4b398f6244d1

  • SSDEEP

    6144:vYa6kNxUn+H2kUSEs82wsFfE+9YwuqEeR/1ABwEVN5NCQcFUsFt7:vY6NQs8A1v9YwfNV1ABwEf5NCQcFUCt7

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3736a32db47acc255fcf48ecbc756e24eecd93fe5d5b3267d5c4c1eca68430b8.exe
    "C:\Users\Admin\AppData\Local\Temp\3736a32db47acc255fcf48ecbc756e24eecd93fe5d5b3267d5c4c1eca68430b8.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1560
    • C:\Users\Admin\AppData\Local\Temp\igbdmfeeg.exe
      "C:\Users\Admin\AppData\Local\Temp\igbdmfeeg.exe" C:\Users\Admin\AppData\Local\Temp\wptkfblf.cyj
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Users\Admin\AppData\Local\Temp\igbdmfeeg.exe
        "C:\Users\Admin\AppData\Local\Temp\igbdmfeeg.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3876

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\igbdmfeeg.exe
          Filesize

          130KB

          MD5

          150146221faa1c50665a0a27649e0555

          SHA1

          1a085d5c261f660e8b0f6f18edd26bb4c699a737

          SHA256

          41580b3d54406a84c5232f46a53ad85e081a41a196355076f6bbb204a8246b06

          SHA512

          b46435e058601757990b5bebce1d93030877d1ec2d6f9d797b0211183ab5cacd2c63ee006b19243eb7e2c00e6f93cbb80181e4c9000475ebc322bccf0714f9a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\igbdmfeeg.exe
          Filesize

          130KB

          MD5

          150146221faa1c50665a0a27649e0555

          SHA1

          1a085d5c261f660e8b0f6f18edd26bb4c699a737

          SHA256

          41580b3d54406a84c5232f46a53ad85e081a41a196355076f6bbb204a8246b06

          SHA512

          b46435e058601757990b5bebce1d93030877d1ec2d6f9d797b0211183ab5cacd2c63ee006b19243eb7e2c00e6f93cbb80181e4c9000475ebc322bccf0714f9a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\igbdmfeeg.exe
          Filesize

          130KB

          MD5

          150146221faa1c50665a0a27649e0555

          SHA1

          1a085d5c261f660e8b0f6f18edd26bb4c699a737

          SHA256

          41580b3d54406a84c5232f46a53ad85e081a41a196355076f6bbb204a8246b06

          SHA512

          b46435e058601757990b5bebce1d93030877d1ec2d6f9d797b0211183ab5cacd2c63ee006b19243eb7e2c00e6f93cbb80181e4c9000475ebc322bccf0714f9a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\mygtyubvqnq.fsy
          Filesize

          262KB

          MD5

          282516b6b6bd0bb525f2c36a051cfc05

          SHA1

          a3204330c2ddbc8279721d8a4c523f77da4d32e5

          SHA256

          9b42124b7d2d1e24a2cfa594aa0400cb91450d2b17fa39fb2a647c28bf8dc9d2

          SHA512

          7531ad6d9a4fb56eaf50da9aefba8ae4541e54db246e0195ec77cf8dd6e3b9e1d45e3be59645e8779843daa2493b48e637594b214c0b99e6c3888f437a6f972a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wptkfblf.cyj
          Filesize

          5KB

          MD5

          ea6a4055086b77f09853b1852221b020

          SHA1

          baac2c7bc2ff6dbf2d11d9105eb516a0dcce6e8d

          SHA256

          fe4129084f18948e11b6df978cb320a919919877daac52aab8ae4fc14cb9b256

          SHA512

          99ec130f918c26694470a5edb9953de0522b9db0bb919d17f377e75b93f675ed8603237e7fa8054eb82278cbe86a2c8a8001198f006a05b9b5db80e57537d0b4

          Download Submit

        • memory/3876-149-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/3876-153-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3876-145-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/3876-147-0x0000000004AC0000-0x0000000005064000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3876-148-0x00000000049F0000-0x0000000004A56000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3876-142-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/3876-150-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3876-152-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3876-151-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3876-144-0x0000000000400000-0x0000000000441000-memory.dmp

          Filesize

          260KB

          Download

        • memory/3876-154-0x0000000005890000-0x0000000005922000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3876-155-0x0000000005880000-0x000000000588A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3876-156-0x0000000005B50000-0x0000000005BA0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3876-157-0x0000000005BA0000-0x0000000005D62000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/3876-159-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3876-160-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3876-161-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3876-162-0x0000000004AB0000-0x0000000004AC0000-memory.dmp

          Filesize

          64KB

          Download