Overview

overview

10

Static

static

10

1560-67-0x...ry.exe

windows7-x64

10

1560-67-0x...ry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    105s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2023 09:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1560-67-0x0000000002160000-0x0000000002192000-memory.exe

  • Size

    200KB

  • MD5

    a04095cdad677ecf2f9c5e7b4043e0bf

  • SHA1

    a57fdbf035ac9659ec7064e1ea0ccd890b1cbd51

  • SHA256

    0ce09c3887a0d02325f56edad03d3d9a53a8854416062608071fb56854014f20

  • SHA512

    95f9ecb39fb3445db0d965d394af4471c4ba6e9494a8addd80956ab4b48df51527eef3547212fa3c5e5bee639b7e42d70c6dae4d44a1d1ff2a47bb9040c7b19c

  • SSDEEP

    3072:aQg1LpIREWOpQHt1r8FAOzOePl5u8xFFmfRuQA0du3AEm73H7zBh99GD:9g1IFOpAP4LzpvhxIR63ABD9

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5632243658:AAGtdfDUACtfzcKVA5ebRWpS-znBxjGH5uo/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1560-67-0x0000000002160000-0x0000000002192000-memory.exe
    "C:\Users\Admin\AppData\Local\Temp\1560-67-0x0000000002160000-0x0000000002192000-memory.exe"
    1⤵
    • Accesses Microsoft Outlook profiles
    • Suspicious use of AdjustPrivilegeToken
    • outlook_office_path
    • outlook_win_path
    PID:384

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/384-133-0x0000000000A60000-0x0000000000A92000-memory.dmp

    Filesize

    200KB

    Download

  • memory/384-134-0x00000000059F0000-0x0000000005F94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/384-135-0x0000000005440000-0x00000000054A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/384-136-0x00000000054F0000-0x0000000005500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/384-137-0x0000000006E90000-0x0000000006F22000-memory.dmp

    Filesize

    584KB

    Download

  • memory/384-138-0x0000000006E60000-0x0000000006E6A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/384-139-0x00000000070F0000-0x0000000007140000-memory.dmp

    Filesize

    320KB

    Download

  • memory/384-140-0x0000000007310000-0x00000000074D2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/384-141-0x00000000054F0000-0x0000000005500000-memory.dmp

    Filesize

    64KB

    Download