Overview

overview

10

Static

static

3

Purchase O...13.exe

windows7-x64

10

Purchase O...13.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09/06/2023, 10:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order 11013.exe

  • Size

    103KB

  • MD5

    aec8743883c8342e2836d89cd38f7294

  • SHA1

    4dd7b5b6130887d528926ae35ef316357a1d6e27

  • SHA256

    44700efabdbbe386e2e689d0de94da92133cd2c36effe104ea5e8dc81a87fa5c

  • SHA512

    330773f0b0a0a860b403211ee972645a992b31acb8a6a21549b19b446689686030f8a1545379e3edd23fdd803f1d0333fd66cf4daddc8b7ba2af8ae4d9fc774d

  • SSDEEP

    768:YNLE6ewSRmSTY94dWN2P7b1IzPrXMkN336DX2AA:KE6ewSDY94du2PmfMkN3KDmAA

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6171107032:AAGnuLkWapUakrcrpegbgibDbN3r0phVBG4/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order 11013.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order 11013.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
      2⤵
        PID:1104
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        2⤵
          PID:524
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
          2⤵
          • Accesses Microsoft Outlook profiles
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:324

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/324-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/324-62-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/324-71-0x00000000003C0000-0x0000000000400000-memory.dmp

        Filesize

        256KB

        Download

      • memory/324-70-0x00000000003C0000-0x0000000000400000-memory.dmp

        Filesize

        256KB

        Download

      • memory/324-69-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/324-60-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/324-67-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/324-65-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/324-61-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/324-63-0x0000000000400000-0x0000000000430000-memory.dmp

        Filesize

        192KB

        Download

      • memory/1328-54-0x00000000008D0000-0x00000000008F0000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1328-55-0x0000000001F40000-0x0000000001F80000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1328-58-0x00000000053B0000-0x0000000005442000-memory.dmp

        Filesize

        584KB

        Download

      • memory/1328-57-0x0000000000490000-0x00000000004AA000-memory.dmp

        Filesize

        104KB

        Download

      • memory/1328-56-0x0000000007D30000-0x0000000007E2E000-memory.dmp

        Filesize

        1016KB

        Download