Overview

overview

10

Static

static

3

IMG_7001_8072pdf.exe

windows7-x64

10

IMG_7001_8072pdf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/05/2023, 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    IMG_7001_8072pdf.exe

  • Size

    292KB

  • MD5

    50b81721effc6c7e08a3c734a6d526cf

  • SHA1

    7728a4eaeaf058bd0df79a63b1137a8a428c7e20

  • SHA256

    f4a0b96ac60450021cf3dd030d05b3a8a9f2a7c586b376d09f4988938093773f

  • SHA512

    a46026a676c2cc9e3a51d799ecca815ab09c01d89e7618323cb3dee0c3bb60b1830873b356254babe92f24d8ae0de5810f284d0307c4bb46f4241c508cc988c4

  • SSDEEP

    6144:dDxhk+LJwJxtKruju+JJJL8DrGb4LZ8qzT+JTl9:drFLyxtwSxJv8DfZ8qzTO

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\IMG_7001_8072pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG_7001_8072pdf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2440
    • C:\Users\Admin\AppData\Local\Temp\IMG_7001_8072pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\IMG_7001_8072pdf.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:1276

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\IMG_7001_8072pdf.exe.log
    Filesize

    886B

    MD5

    1de4321733072682805c444f3c647acd

    SHA1

    e6f685512dd9334eba7d8c566eeacb668f3da17d

    SHA256

    dc7dbd177ff59eff8d07c56e48df3dbdd8ca4699023e4c03811061fb9ea73cad

    SHA512

    162a01f77533daab9148c84e957041f86af47f03d983d7cf400bca19396e8a799609d67835c2bee8a0e9e54c7a9ccbe8a51044aeefbd3d24d57f9f09be90c7ff

    Download Submit

  • memory/1276-148-0x00000000052E0000-0x00000000052F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1276-147-0x0000000006AF0000-0x0000000006AFA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1276-146-0x0000000006CA0000-0x0000000006E62000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/1276-145-0x0000000006A80000-0x0000000006AD0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1276-144-0x00000000052E0000-0x00000000052F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1276-143-0x00000000052F0000-0x0000000005356000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1276-140-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

    Download

  • memory/2440-136-0x0000000005020000-0x00000000050B2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2440-139-0x0000000004FD0000-0x0000000004FEE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2440-138-0x00000000050C0000-0x0000000005136000-memory.dmp

    Filesize

    472KB

    Download

  • memory/2440-137-0x0000000004E20000-0x0000000004E30000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2440-133-0x00000000004A0000-0x00000000004F0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2440-135-0x00000000054F0000-0x0000000005A94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2440-134-0x0000000004E50000-0x0000000004EEC000-memory.dmp

    Filesize

    624KB

    Download