Overview

overview

10

Static

static

1

shipment 0...93.exe

windows7-x64

10

shipment 0...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-03-2023 12:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    shipment 04629673893.exe

  • Size

    743KB

  • MD5

    4865f16a685bc3b34a91f595247f30e7

  • SHA1

    c9e898e4c7c9026f0fded242d499ddb61b69a639

  • SHA256

    64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057

  • SHA512

    db1f449a2983bcaee04aa66852d94190ad02482c9944b0d13134cdb82379d6a86721d5412903090450ce0b4ec8e5e9a629cad321b76a2a762d6bc7f548ebd864

  • SSDEEP

    12288:Qt1esNS+7GrRybegXjup/inqt0qKmwRZ5J+:ri7GrRyKTNh0awr5Y

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot5970985875:AAGxcS7riy4ZlEmFj2Z031AsUoRvment2iI/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe
    "C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4432
    • C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:824

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipment 04629673893.exe.log
    Filesize

    412B

    MD5

    e72888b5960716cf170f3e1becd14370

    SHA1

    0aeefd2d4a7948a03aad625ca86fc34d79adf248

    SHA256

    8317f594f74040b50e1b88f4aba5e6da3423bf47fe91df59e6e85f37b1f7e0ab

    SHA512

    9cdfda6fc4f324dfd8d53b46610114252431a5d26296a6f3d606b8ffeef172263fbde9ce0a1b2b9232dabcdabd33d6677e9a5f7693b175f24cea622c31b5c6b7

    Download Submit

  • memory/824-143-0x0000000006DA0000-0x0000000006DF0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/824-137-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/824-140-0x0000000005B80000-0x0000000006124000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/824-141-0x00000000056B0000-0x00000000056C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/824-142-0x00000000062F0000-0x0000000006356000-memory.dmp

    Filesize

    408KB

    Download

  • memory/824-147-0x0000000006F70000-0x0000000006F7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/824-148-0x00000000056B0000-0x00000000056C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/824-149-0x00000000056B0000-0x00000000056C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/824-150-0x00000000056B0000-0x00000000056C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4432-135-0x00000000056F0000-0x0000000005782000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4432-136-0x0000000005900000-0x0000000005910000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4432-134-0x0000000005650000-0x00000000056EC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4432-133-0x0000000000BC0000-0x0000000000C80000-memory.dmp

    Filesize

    768KB

    Download