Overview

overview

10

Static

static

1

PO 5326976.exe

windows7-x64

10

PO 5326976.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2023 01:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO 5326976.exe

  • Size

    320KB

  • MD5

    3e156414a3514dc7228eb4ff71f0c730

  • SHA1

    8f5929d4b6dac662c5044b9ae372bd1e3b13fd1d

  • SHA256

    af9516862a7fd0fc54b7979064e75a5a8d1aa908ece62eec5900581ca90bd339

  • SHA512

    7eedb72e9a90840de075028904b250852f33e13388cb97e283dbe8ae6f69d01db1fc9526a46c67f2610263a88ebd1f89b3d6cef86902419d8ff8913df8ce39f0

  • SSDEEP

    6144:/Ya6dCELRWDCnUWTrucf1Kwkb3v04WSIEwi8tgFC:/Y/CAB3FFkb37WSAjes

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO 5326976.exe
    "C:\Users\Admin\AppData\Local\Temp\PO 5326976.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1992
    • C:\Users\Admin\AppData\Local\Temp\fwilxo.exe
      "C:\Users\Admin\AppData\Local\Temp\fwilxo.exe" C:\Users\Admin\AppData\Local\Temp\brmoge.cp
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Users\Admin\AppData\Local\Temp\fwilxo.exe
        "C:\Users\Admin\AppData\Local\Temp\fwilxo.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\brmoge.cp
    Filesize

    5KB

    MD5

    56b427842ea05c9bc80931c2c59d2e2a

    SHA1

    08903f5f89c411e68e308a256e216ab825482ebe

    SHA256

    4bb24da31e192daefe242e75a44e2d27301f1f54e4082fdebfcd9b6ba3bec078

    SHA512

    5ee654413b77f1f750f7836d576506cf1144a39020b30b15162d2be58a2dc6bcba3753cd8eb6a5e164c539f20407b6d90f7edc419aca197ffb0370beffcb6520

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fwilxo.exe
    Filesize

    138KB

    MD5

    b75e2f82e6dc7ab9a3189f4c3bf530dd

    SHA1

    d5246fb14139a7775e2cba16913dc87ae13f0017

    SHA256

    db27e48dbd9880d2ce0ceb5473145faf608640b41bb1e457335d838271745ce9

    SHA512

    156cc67d1abed85d4a4a22affd9f6dd8d4a15a765eef4c27bd9e0f3e2dd96a4a24a13dc752b22239d3208ecdf67c66a5c98be51245f1ff12d45df61f4a35e1f9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fwilxo.exe
    Filesize

    138KB

    MD5

    b75e2f82e6dc7ab9a3189f4c3bf530dd

    SHA1

    d5246fb14139a7775e2cba16913dc87ae13f0017

    SHA256

    db27e48dbd9880d2ce0ceb5473145faf608640b41bb1e457335d838271745ce9

    SHA512

    156cc67d1abed85d4a4a22affd9f6dd8d4a15a765eef4c27bd9e0f3e2dd96a4a24a13dc752b22239d3208ecdf67c66a5c98be51245f1ff12d45df61f4a35e1f9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fwilxo.exe
    Filesize

    138KB

    MD5

    b75e2f82e6dc7ab9a3189f4c3bf530dd

    SHA1

    d5246fb14139a7775e2cba16913dc87ae13f0017

    SHA256

    db27e48dbd9880d2ce0ceb5473145faf608640b41bb1e457335d838271745ce9

    SHA512

    156cc67d1abed85d4a4a22affd9f6dd8d4a15a765eef4c27bd9e0f3e2dd96a4a24a13dc752b22239d3208ecdf67c66a5c98be51245f1ff12d45df61f4a35e1f9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\fwilxo.exe
    Filesize

    138KB

    MD5

    b75e2f82e6dc7ab9a3189f4c3bf530dd

    SHA1

    d5246fb14139a7775e2cba16913dc87ae13f0017

    SHA256

    db27e48dbd9880d2ce0ceb5473145faf608640b41bb1e457335d838271745ce9

    SHA512

    156cc67d1abed85d4a4a22affd9f6dd8d4a15a765eef4c27bd9e0f3e2dd96a4a24a13dc752b22239d3208ecdf67c66a5c98be51245f1ff12d45df61f4a35e1f9

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\xqdah.nfb
    Filesize

    262KB

    MD5

    3f7f9e53341a865fda910b162997c814

    SHA1

    2a14d2ce5bdb32367fa5775fbf9e48912f463d0b

    SHA256

    501b8ebddaa29b6c2c012a9bb1f4a3038a56fc8cedb71f05f4d8cc7ccbc6785c

    SHA512

    903906ba3abf80e2da0b88100149a4616dde7ab5bdaaa82bbca8a318da878495b69aa854367c9f08a32af43f8b9ab6b8d8a3fdaf7882709d3f9c55dc0938dee5

    Download Submit
  • \Users\Admin\AppData\Local\Temp\fwilxo.exe
    Filesize

    138KB

    MD5

    b75e2f82e6dc7ab9a3189f4c3bf530dd

    SHA1

    d5246fb14139a7775e2cba16913dc87ae13f0017

    SHA256

    db27e48dbd9880d2ce0ceb5473145faf608640b41bb1e457335d838271745ce9

    SHA512

    156cc67d1abed85d4a4a22affd9f6dd8d4a15a765eef4c27bd9e0f3e2dd96a4a24a13dc752b22239d3208ecdf67c66a5c98be51245f1ff12d45df61f4a35e1f9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\fwilxo.exe
    Filesize

    138KB

    MD5

    b75e2f82e6dc7ab9a3189f4c3bf530dd

    SHA1

    d5246fb14139a7775e2cba16913dc87ae13f0017

    SHA256

    db27e48dbd9880d2ce0ceb5473145faf608640b41bb1e457335d838271745ce9

    SHA512

    156cc67d1abed85d4a4a22affd9f6dd8d4a15a765eef4c27bd9e0f3e2dd96a4a24a13dc752b22239d3208ecdf67c66a5c98be51245f1ff12d45df61f4a35e1f9

    Download Submit
  • \Users\Admin\AppData\Local\Temp\fwilxo.exe
    Filesize

    138KB

    MD5

    b75e2f82e6dc7ab9a3189f4c3bf530dd

    SHA1

    d5246fb14139a7775e2cba16913dc87ae13f0017

    SHA256

    db27e48dbd9880d2ce0ceb5473145faf608640b41bb1e457335d838271745ce9

    SHA512

    156cc67d1abed85d4a4a22affd9f6dd8d4a15a765eef4c27bd9e0f3e2dd96a4a24a13dc752b22239d3208ecdf67c66a5c98be51245f1ff12d45df61f4a35e1f9

    Download Submit
  • memory/856-68-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/856-72-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/856-73-0x0000000001E80000-0x0000000001EB0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/856-75-0x0000000001F00000-0x0000000001F40000-memory.dmp
    Filesize

    256KB

    Download
  • memory/856-74-0x0000000000400000-0x0000000000441000-memory.dmp
    Filesize

    260KB

    Download
  • memory/856-76-0x0000000001F00000-0x0000000001F40000-memory.dmp
    Filesize

    256KB

    Download