Overview

overview

10

Static

static

3

7b4164cc35...64.exe

windows7-x64

10

7b4164cc35...64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    03/05/2023, 01:45

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    7b4164cc352f02f53d9f49d8a5d6df6221b85c5412fcb133462c5d779730dc64.exe

  • Size

    566KB

  • MD5

    71c8f4b6fe02eae1ae062af24d751674

  • SHA1

    f442aa3847109e33868e671d833314693f4202c1

  • SHA256

    7b4164cc352f02f53d9f49d8a5d6df6221b85c5412fcb133462c5d779730dc64

  • SHA512

    f9449e39035cac512dd5657d752ea7660f6148955af110e6a897a66a258e30b2ded77eb24221be202245804a8807c2c42f024822a559c1982c91f536f9705d86

  • SSDEEP

    12288:8YZ9daFLvg+AHMX89IX1p7X4Z36IeMLEJOXWV:8YZ9daFLvBAH7qX1FIZ3Leo6OM

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7b4164cc352f02f53d9f49d8a5d6df6221b85c5412fcb133462c5d779730dc64.exe
    "C:\Users\Admin\AppData\Local\Temp\7b4164cc352f02f53d9f49d8a5d6df6221b85c5412fcb133462c5d779730dc64.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\wnilggqyy.exe
      "C:\Users\Admin\AppData\Local\Temp\wnilggqyy.exe" C:\Users\Admin\AppData\Local\Temp\zixaxlhts.oz
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:928
      • C:\Users\Admin\AppData\Local\Temp\wnilggqyy.exe
        "C:\Users\Admin\AppData\Local\Temp\wnilggqyy.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:520

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tovsndq.q
          Filesize

          482KB

          MD5

          1a98dc016fa7e93057012a354afeccaf

          SHA1

          615be860b9bef63a30f4bcbac366c7e94cd66df0

          SHA256

          dead0052aa3ab3485863f31e8b881b8eeac74f1015e470115d607a6ec0dac112

          SHA512

          85f5b642b177cc6aee02153029b5cb9c2cb9172fae03d767139f6f5ac3207e17fcaa692402059598de6f801c9c9a5586bb99ed7ce0655412547b282bd36e21c9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wnilggqyy.exe
          Filesize

          45KB

          MD5

          373e0b06b3c227434ae1c8eb6c5403f1

          SHA1

          1a6f1faed3a003e6d8624f221df3049d5da66d0a

          SHA256

          605f3f7c18d4e43f1a3e1468e04b2b6760e1d8b0674ce5777923abf2c93b4c23

          SHA512

          2b2c4d13ea34099af91ac803c6ebc4a818fdbe363959128803a5cef6166579405b6629790dfa365f1c79732cf80622f2ca0c856add757b59e949ddc52f690c8e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wnilggqyy.exe
          Filesize

          45KB

          MD5

          373e0b06b3c227434ae1c8eb6c5403f1

          SHA1

          1a6f1faed3a003e6d8624f221df3049d5da66d0a

          SHA256

          605f3f7c18d4e43f1a3e1468e04b2b6760e1d8b0674ce5777923abf2c93b4c23

          SHA512

          2b2c4d13ea34099af91ac803c6ebc4a818fdbe363959128803a5cef6166579405b6629790dfa365f1c79732cf80622f2ca0c856add757b59e949ddc52f690c8e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\wnilggqyy.exe
          Filesize

          45KB

          MD5

          373e0b06b3c227434ae1c8eb6c5403f1

          SHA1

          1a6f1faed3a003e6d8624f221df3049d5da66d0a

          SHA256

          605f3f7c18d4e43f1a3e1468e04b2b6760e1d8b0674ce5777923abf2c93b4c23

          SHA512

          2b2c4d13ea34099af91ac803c6ebc4a818fdbe363959128803a5cef6166579405b6629790dfa365f1c79732cf80622f2ca0c856add757b59e949ddc52f690c8e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zixaxlhts.oz
          Filesize

          5KB

          MD5

          1e47e31d39fe391101f1b9c48533f098

          SHA1

          2aecaf358293c13f8e73ab96a2fe108c93506d7d

          SHA256

          23603b5e19426180a84968a50de5a4c4faa8adc04ec8b9e92c8a50db4281084a

          SHA512

          7597261e46e4c6802530dbf20eca0136da70766af51e0f411fbe6b59ee43f5cbb6094b2da2142c36fa1d1041fb570bb12a143b842f1f7bf5f47d084762814042

          Download Submit

        • \Users\Admin\AppData\Local\Temp\wnilggqyy.exe
          Filesize

          45KB

          MD5

          373e0b06b3c227434ae1c8eb6c5403f1

          SHA1

          1a6f1faed3a003e6d8624f221df3049d5da66d0a

          SHA256

          605f3f7c18d4e43f1a3e1468e04b2b6760e1d8b0674ce5777923abf2c93b4c23

          SHA512

          2b2c4d13ea34099af91ac803c6ebc4a818fdbe363959128803a5cef6166579405b6629790dfa365f1c79732cf80622f2ca0c856add757b59e949ddc52f690c8e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\wnilggqyy.exe
          Filesize

          45KB

          MD5

          373e0b06b3c227434ae1c8eb6c5403f1

          SHA1

          1a6f1faed3a003e6d8624f221df3049d5da66d0a

          SHA256

          605f3f7c18d4e43f1a3e1468e04b2b6760e1d8b0674ce5777923abf2c93b4c23

          SHA512

          2b2c4d13ea34099af91ac803c6ebc4a818fdbe363959128803a5cef6166579405b6629790dfa365f1c79732cf80622f2ca0c856add757b59e949ddc52f690c8e

          Download Submit

        • memory/520-65-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/520-69-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/520-70-0x0000000000400000-0x0000000000478000-memory.dmp

          Filesize

          480KB

          Download

        • memory/520-71-0x0000000000620000-0x0000000000686000-memory.dmp

          Filesize

          408KB

          Download

        • memory/520-72-0x0000000000D10000-0x0000000000D50000-memory.dmp

          Filesize

          256KB

          Download