Overview

overview

10

Static

static

1

Ref 10M-86776.exe

windows7-x64

10

Ref 10M-86776.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    58s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/04/2023, 08:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ref 10M-86776.exe

  • Size

    571KB

  • MD5

    3c6d54f89cd52f8c4f41a1b003c1e5fa

  • SHA1

    6c26a9b09e37c9779772db922e9d8d83228b2a38

  • SHA256

    01a62036ee9f6e9b47a72087e1f6db8db779db05ce29d6850be9cae37b24589c

  • SHA512

    c38a606aeb6eee40a77af3f945c2b735de3af1b0ac41c28ae19b1530bfc2b98987ac617db7d7e5cf75fd08817e626c6a04a2dfe118750760c596c1f383ea2be4

  • SSDEEP

    12288:QWcikixolENVpaSMxAo0vBI7MBcwoeKVacKO6flkPK:yqtwxx7mKeYRx6fGP

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Ref 10M-86776.exe
    "C:\Users\Admin\AppData\Local\Temp\Ref 10M-86776.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:864
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:64
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4532

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/864-133-0x0000000000CA0000-0x0000000000D36000-memory.dmp

      Filesize

      600KB

      Download

    • memory/864-134-0x0000000005700000-0x000000000579C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/864-135-0x0000000005D50000-0x00000000062F4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/864-136-0x0000000005840000-0x00000000058D2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/864-137-0x00000000056E0000-0x00000000056EA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/864-138-0x0000000005A10000-0x0000000005A66000-memory.dmp

      Filesize

      344KB

      Download

    • memory/864-139-0x0000000005A00000-0x0000000005A10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/864-140-0x0000000005A00000-0x0000000005A10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4532-141-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4532-143-0x00000000055A0000-0x0000000005606000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4532-144-0x0000000005520000-0x0000000005530000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4532-145-0x0000000006A70000-0x0000000006AC0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4532-146-0x0000000006C90000-0x0000000006E52000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4532-147-0x0000000005520000-0x0000000005530000-memory.dmp

      Filesize

      64KB

      Download