Overview

overview

10

Static

static

1

R09876556789000G.jar

windows7-x64

10

R09876556789000G.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2023 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    R09876556789000G.jar

  • Size

    1.1MB

  • MD5

    89b1c7884d5ec1bfc18142f725fde3f8

  • SHA1

    e95ab3a5eca60dd08fe4703abe420a29cf357a2f

  • SHA256

    b79d1da91f9a15f6bc930bd5b4bf714c016862f04052c3dd5cb79c3464e0f775

  • SHA512

    1f81f2de35ad05321fc3761b601a1a82af7e64d93f5072acfbcd262a34ae8acd610a93629369963dfa35e893aae7b423030456a896d11bc965544f73aa94934f

  • SSDEEP

    24576:EoOQtokLVRpJOemLmrq5OI5HR735U09kLVRpJOemLmrq5OI5HR735U0C:EjkBRpXrq5nHR779kBRpXrq5nHR77C

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Drops startup file 3 IoCs
  • Executes dropped EXE 8 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 50 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\R09876556789000G.jar
    1⤵
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\9qHd.exe
      C:\Users\Admin\9qHd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\9qHd.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
        3⤵
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1320
      • C:\Users\Admin\9qHd.exe
        "C:\Users\Admin\9qHd.exe"
        3⤵
        • Executes dropped EXE
        PID:1460
      • C:\Users\Admin\9qHd.exe
        "C:\Users\Admin\9qHd.exe"
        3⤵
        • Executes dropped EXE
        PID:1660
      • C:\Users\Admin\9qHd.exe
        "C:\Users\Admin\9qHd.exe"
        3⤵
        • Executes dropped EXE
        PID:1556
      • C:\Users\Admin\9qHd.exe
        "C:\Users\Admin\9qHd.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1576
    • C:\Users\Admin\hmx6w5V.exe
      "C:\Users\Admin\hmx6w5V.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1668
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe
        "Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\hmx6w5V.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'
        3⤵
        • Drops startup file
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:880
      • C:\Users\Admin\hmx6w5V.exe
        "C:\Users\Admin\hmx6w5V.exe"
        3⤵
        • Executes dropped EXE
        PID:1684
      • C:\Users\Admin\hmx6w5V.exe
        "C:\Users\Admin\hmx6w5V.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:1328

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\9qHd.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\9qHd.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\9qHd.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\9qHd.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\9qHd.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\9qHd.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    62KB

    MD5

    3ac860860707baaf32469fa7cc7c0192

    SHA1

    c33c2acdaba0e6fa41fd2f00f186804722477639

    SHA256

    d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904

    SHA512

    d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9deaed5bdf93c5a90f371efd896a6db3

    SHA1

    a16ed444c6c2d3e69602302aca9759be7dfcc602

    SHA256

    dcc6a768df4c09f640c66c78cc3ab18ff5f4ac47bbe8129c885d2783ff1e450b

    SHA512

    99b8d91392e768c11f367aa676b75b8bbd82707ba06388ecc5c3a745188d7fdf950da751d50d7186f2f7fe9a009dc9baa5dff2255af5cccea8b2c66e2ad02051

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabAEB7.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6K57OJ3HHT6TMGEKXI5L.temp
    Filesize

    7KB

    MD5

    e7892e230bd1e3c12c7f4c2b5544b771

    SHA1

    3d577f33a4805f6f7eeae20be5556c9d275d2724

    SHA256

    d4f85f42c0793317c583ade5aa881838c96fef60bfa125ca87c77d636e45e312

    SHA512

    122074b9304f62d33cdc0d94b0f1d26641bbb1121a319bef00c45784ef08a47abc3f73c6e2e72cd8c8502425ef14860980896f008d0d652dacc1b1f483b8f4bf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    e7892e230bd1e3c12c7f4c2b5544b771

    SHA1

    3d577f33a4805f6f7eeae20be5556c9d275d2724

    SHA256

    d4f85f42c0793317c583ade5aa881838c96fef60bfa125ca87c77d636e45e312

    SHA512

    122074b9304f62d33cdc0d94b0f1d26641bbb1121a319bef00c45784ef08a47abc3f73c6e2e72cd8c8502425ef14860980896f008d0d652dacc1b1f483b8f4bf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\hmx6w5V.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\hmx6w5V.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\hmx6w5V.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\hmx6w5V.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • C:\Users\Admin\hmx6w5V.exe
    Filesize

    815KB

    MD5

    d1f6fe10493bfd93348ff96d17fc74d9

    SHA1

    f25bbe742f47d68d63b78b9e9a7bb0a75a285069

    SHA256

    0c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322

    SHA512

    a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806

    Download Submit

  • memory/880-115-0x00000000021C0000-0x0000000002200000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1028-85-0x0000000004CA0000-0x0000000004CE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1028-82-0x0000000000360000-0x00000000003A2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1028-78-0x0000000000210000-0x00000000002E2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/1320-117-0x0000000002260000-0x00000000022A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1328-105-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1328-129-0x0000000005050000-0x0000000005090000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1328-107-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1328-171-0x0000000005050000-0x0000000005090000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1328-109-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1328-104-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1328-120-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1328-103-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1328-114-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1328-102-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1576-130-0x0000000004D90000-0x0000000004DD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1576-116-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1576-172-0x0000000004D90000-0x0000000004DD0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1668-101-0x0000000000540000-0x000000000054A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1668-87-0x0000000004950000-0x0000000004990000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1668-83-0x00000000003C0000-0x0000000000402000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1668-81-0x00000000009E0000-0x0000000000AB2000-memory.dmp

    Filesize

    840KB

    Download

  • memory/2008-63-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2008-100-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2008-92-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2008-88-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2008-84-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download