Overview

overview

10

Static

static

10

Eclipse BETA.exe

windows10-2004-x64

10

EclipseCli...se.exe

windows10-2004-x64

10

Resubmissions

08/06/2023, 02:19

230608-crwkysah43 10

08/06/2023, 02:11

230608-cmjqlabc61 10

Analysis

  • max time kernel
    81s
  • max time network
    84s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2023, 02:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Eclipse BETA.exe

  • Size

    22KB

  • MD5

    ba7c345c6f2ec9b18a453c7382436737

  • SHA1

    9e70e12a61c1ba3b01d41fd8c7e670f697e423ba

  • SHA256

    47cb13c367f9ea1388c908049382721b1760c257afce0b6443b338f25f3b4594

  • SHA512

    20bc340362c715710ef2e0b98361e77f56ab866804c690d96cb4279666ecb3d070af816e93044b136e1b2470c7c7cf823f021a29b4c5713e2e2fe69068ee1e8e

  • SSDEEP

    384:buZxaYaRziTKLHtwr0vHzUJKq6faofAHaPjTJxqd32Q0ASrzWXYAsZi6YT/r:buZk1zj/zwKqsa0hMd32Q01foYTSDr

Score
10/10
agentteslaevasionkeyloggerspywarestealerthemidatrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Themida packer 2 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Eclipse BETA.exe
    "C:\Users\Admin\AppData\Local\Temp\Eclipse BETA.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1004
    • C:\Users\Admin\AppData\Local\Temp\EclipseClient\Eclipse.exe
      "C:\Users\Admin\AppData\Local\Temp\EclipseClient\Eclipse.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:1760

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1004-133-0x0000000000430000-0x000000000043C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/1004-134-0x0000000004D90000-0x0000000004E2C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/1004-135-0x0000000005460000-0x0000000005A04000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/1004-136-0x0000000004F50000-0x0000000004FE2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/1004-137-0x0000000004E60000-0x0000000004E6A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1004-138-0x0000000005100000-0x0000000005156000-memory.dmp

          Filesize

          344KB

          Download

        • memory/1004-139-0x00000000051D0000-0x00000000051E0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1760-140-0x0000000000CE0000-0x0000000002074000-memory.dmp

          Filesize

          19.6MB

          Download

        • memory/1760-144-0x0000000000CE0000-0x0000000002074000-memory.dmp

          Filesize

          19.6MB

          Download

        • memory/1760-145-0x0000000000CE0000-0x0000000002074000-memory.dmp

          Filesize

          19.6MB

          Download

        • memory/1760-146-0x0000000006840000-0x0000000006850000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1760-147-0x0000000006640000-0x0000000006652000-memory.dmp

          Filesize

          72KB

          Download

        • memory/1760-148-0x0000000006630000-0x000000000663A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1760-149-0x0000000007460000-0x0000000007656000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1760-150-0x0000000009A60000-0x0000000009A68000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1760-151-0x0000000009AE0000-0x0000000009B46000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1760-152-0x0000000009A70000-0x0000000009A78000-memory.dmp

          Filesize

          32KB

          Download

        • memory/1760-154-0x0000000006840000-0x0000000006850000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1760-155-0x0000000000CE0000-0x0000000002074000-memory.dmp

          Filesize

          19.6MB

          Download

        • memory/1760-156-0x0000000006840000-0x0000000006850000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1760-158-0x0000000006840000-0x0000000006850000-memory.dmp

          Filesize

          64KB

          Download