Overview

overview

10

Static

static

3

P30OwbdhQCNt5HS.exe

windows7-x64

10

P30OwbdhQCNt5HS.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    86s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    04/05/2023, 07:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    P30OwbdhQCNt5HS.exe

  • Size

    698KB

  • MD5

    43678482751038f9a87f50b0dc8e2f15

  • SHA1

    2735a27a9ba8de920eca46637c974b686bc2d20b

  • SHA256

    109ef5c322e2f5b9624f14914d4e4db3cd2ee7883f9c718c913616eb69277091

  • SHA512

    4ebaae9d12e72102fcbe374edd0f880e041485a3ccc802cee17c145ddf4ce7f221fc06a736b1a0096081b0bb9d854f6ef4699ab41424287a2be9060249865b46

  • SSDEEP

    12288:1BAni4Iyett3RbH/ZvlydI1tWHURMcSRV9ZUasth5KwQyX:1aWtxH/ZttRq9ZSK

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6190932047:AAFAXC_q-J_1tPTmmiqndMdlZipgoGT2Ypo/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\P30OwbdhQCNt5HS.exe
    "C:\Users\Admin\AppData\Local\Temp\P30OwbdhQCNt5HS.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1460
    • C:\Users\Admin\AppData\Local\Temp\P30OwbdhQCNt5HS.exe
      "C:\Users\Admin\AppData\Local\Temp\P30OwbdhQCNt5HS.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:588

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/588-66-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

          Download

        • memory/588-68-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

          Download

        • memory/588-89-0x0000000004A20000-0x0000000004A60000-memory.dmp

          Filesize

          256KB

          Download

        • memory/588-71-0x0000000004A20000-0x0000000004A60000-memory.dmp

          Filesize

          256KB

          Download

        • memory/588-70-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

          Download

        • memory/588-64-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

          Download

        • memory/588-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/588-61-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

          Download

        • memory/588-62-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

          Download

        • memory/588-63-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

          Download

        • memory/1460-55-0x0000000004D50000-0x0000000004D90000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1460-60-0x0000000000B00000-0x0000000000B42000-memory.dmp

          Filesize

          264KB

          Download

        • memory/1460-54-0x0000000001100000-0x00000000011B4000-memory.dmp

          Filesize

          720KB

          Download

        • memory/1460-59-0x0000000005820000-0x000000000589A000-memory.dmp

          Filesize

          488KB

          Download

        • memory/1460-58-0x0000000000930000-0x000000000093C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1460-57-0x0000000004D50000-0x0000000004D90000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1460-56-0x0000000000870000-0x0000000000882000-memory.dmp

          Filesize

          72KB

          Download