Overview

overview

10

Static

static

3

bea4f13b68...f0.exe

windows7-x64

10

bea4f13b68...f0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    64s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2023 15:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bea4f13b68a1437b995cf2fcf05e68f0.exe

  • Size

    677KB

  • MD5

    bea4f13b68a1437b995cf2fcf05e68f0

  • SHA1

    ca801f10bd5b786b60891a6e65994f82ffc32ec7

  • SHA256

    f2ea300dc80eddee0a6887ea6c61f7860bff20164ebe432ebb262b4d21a3265c

  • SHA512

    138ce2d56bd59e63c7a1b1102f2d9f45bcc28647e521afa317ea7f214675d3c5affe8a85b0ef9d1232f864ad31620def7f534e2533e87d780b1652c9ae92db96

  • SSDEEP

    12288:O3m+vY07/kbXc5ZsdcbjEJipYgxcbp80Ua7QvFH/igv+ZPUcRwL:4m0/kqJci/cbpB8lqgSUc6

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bea4f13b68a1437b995cf2fcf05e68f0.exe
    "C:\Users\Admin\AppData\Local\Temp\bea4f13b68a1437b995cf2fcf05e68f0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Users\Admin\AppData\Local\Temp\bea4f13b68a1437b995cf2fcf05e68f0.exe
      "C:\Users\Admin\AppData\Local\Temp\bea4f13b68a1437b995cf2fcf05e68f0.exe"
      2⤵
        PID:3084
      • C:\Users\Admin\AppData\Local\Temp\bea4f13b68a1437b995cf2fcf05e68f0.exe
        "C:\Users\Admin\AppData\Local\Temp\bea4f13b68a1437b995cf2fcf05e68f0.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:2408

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\bea4f13b68a1437b995cf2fcf05e68f0.exe.log
      Filesize

      1KB

      MD5

      8ec831f3e3a3f77e4a7b9cd32b48384c

      SHA1

      d83f09fd87c5bd86e045873c231c14836e76a05c

      SHA256

      7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

      SHA512

      26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

      Download Submit

    • memory/2408-140-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/2408-148-0x0000000006FA0000-0x0000000007162000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2408-147-0x0000000005180000-0x0000000005190000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2408-146-0x0000000006D80000-0x0000000006DD0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/2408-144-0x0000000005180000-0x0000000005190000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2408-143-0x0000000005190000-0x00000000051F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3208-136-0x0000000004B10000-0x0000000004B1A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3208-139-0x0000000005BE0000-0x0000000005C7C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/3208-138-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3208-137-0x0000000004D00000-0x0000000004D10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3208-133-0x00000000000A0000-0x0000000000150000-memory.dmp

      Filesize

      704KB

      Download

    • memory/3208-135-0x0000000004B60000-0x0000000004BF2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3208-134-0x0000000005070000-0x0000000005614000-memory.dmp

      Filesize

      5.6MB

      Download