Overview

overview

10

Static

static

3

AITSlip340...xe.exe

windows7-x64

10

AITSlip340...xe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2023, 14:14

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    AITSlip3409748invexe.exe

  • Size

    589KB

  • MD5

    b796e38c482448f701956276a3a0d0e6

  • SHA1

    0d4ef72c89b7794eb5c4e23d636d39a8e38481be

  • SHA256

    b732593ae4c3d533d3ec021f91be15f52dc0f9799fae9ec7fdcddf4155e1c110

  • SHA512

    ef40781de9b7226617451a3bffc870d560054d4f333aa48d452f116439de490353dfb2c3929498c187517639b5ed8fdefe2142b893ff99930f958033bc3fd7bb

  • SSDEEP

    12288:GBlP14nzTX4tPFwVR2+6irp0NAPXy9Al:a514nzMtWVInZ2Fl

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AITSlip3409748invexe.exe
    "C:\Users\Admin\AppData\Local\Temp\AITSlip3409748invexe.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:5080
    • C:\Users\Admin\AppData\Local\Temp\AITSlip3409748invexe.exe
      "C:\Users\Admin\AppData\Local\Temp\AITSlip3409748invexe.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:960

Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\AITSlip3409748invexe.exe.log
          Filesize

          1KB

          MD5

          8ec831f3e3a3f77e4a7b9cd32b48384c

          SHA1

          d83f09fd87c5bd86e045873c231c14836e76a05c

          SHA256

          7667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982

          SHA512

          26bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3

          Download Submit

        • memory/960-140-0x0000000000400000-0x0000000000430000-memory.dmp

          Filesize

          192KB

          Download

        • memory/960-147-0x0000000006950000-0x0000000006B12000-memory.dmp

          Filesize

          1.8MB

          Download

        • memory/960-146-0x0000000006730000-0x0000000006780000-memory.dmp

          Filesize

          320KB

          Download

        • memory/960-145-0x0000000005060000-0x0000000005070000-memory.dmp

          Filesize

          64KB

          Download

        • memory/960-144-0x0000000005060000-0x0000000005070000-memory.dmp

          Filesize

          64KB

          Download

        • memory/960-143-0x0000000004EE0000-0x0000000004F46000-memory.dmp

          Filesize

          408KB

          Download

        • memory/5080-136-0x0000000005420000-0x0000000005430000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5080-139-0x000000000AC90000-0x000000000AD2C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/5080-138-0x0000000005420000-0x0000000005430000-memory.dmp

          Filesize

          64KB

          Download

        • memory/5080-137-0x0000000005220000-0x000000000522A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/5080-133-0x00000000007E0000-0x000000000087A000-memory.dmp

          Filesize

          616KB

          Download

        • memory/5080-135-0x0000000005240000-0x00000000052D2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/5080-134-0x0000000005750000-0x0000000005CF4000-memory.dmp

          Filesize

          5.6MB

          Download