Overview

overview

10

Static

static

3

Statement ...nt.exe

windows7-x64

10

Statement ...nt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-07-2023 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Statement of Account.exe

  • Size

    374KB

  • MD5

    d63fd2dc2789389acc18b3692ee74fb3

  • SHA1

    93aab7603ca6b92ca30633fff678e705b4a78161

  • SHA256

    0a8f6e16fbacee3c0e929af360aab8f396937f31ebd07344f0ac295465071b45

  • SHA512

    87688f239f9e06b7ddd5ebfd128c05a354126ea1640a95588c13e7a6376de78a0dd698294318f20adbd35a09ad0a5d203425cd9175bfb3dc8c5d673061154bed

  • SSDEEP

    6144:vYa6paKA2ZWu8Q+dxEqasuxi7znzyA6RR1+YLCkxy9B3nhP6INOKkS/aGo56H3h:vYraKA2ou8LdksLXzIf1Zmkxy9BnkMZ1

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Statement of Account.exe
    "C:\Users\Admin\AppData\Local\Temp\Statement of Account.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\Statement of Account.exe
      "C:\Users\Admin\AppData\Local\Temp\Statement of Account.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4780

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nsm7DFC.tmp\xsrkmjxamk.dll
    Filesize

    255KB

    MD5

    3d4c28d1f511a9aae8bdd8781daeb1db

    SHA1

    84de2a4278d1954a3a25721e1b55a901e818ba4c

    SHA256

    beb6eb545dbf839bc274acadc7b5ca0f2984ea750c4ffae19b0ca78f2e74922f

    SHA512

    5c782a1e41d6d15c550cd76cded3a5f67f62aead0a90f7ebdee168a9afa367dc9781d6aa63ca03dee346f93130dd6bb619a0128c1c239cac3380ba7f5cdcb249

    Download Submit

  • memory/2428-139-0x0000000002300000-0x0000000002302000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4780-140-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4780-141-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4780-142-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4780-143-0x0000000004A10000-0x0000000004FB4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4780-144-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/4780-145-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-146-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-147-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-148-0x0000000004FC0000-0x0000000005026000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4780-149-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-150-0x0000000005580000-0x00000000055D0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4780-151-0x00000000055D0000-0x0000000005792000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/4780-152-0x00000000057A0000-0x0000000005832000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4780-153-0x00000000058A0000-0x00000000058AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4780-155-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-156-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-157-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-158-0x0000000004A00000-0x0000000004A10000-memory.dmp

    Filesize

    64KB

    Download