Overview

overview

10

Static

static

10

1b7f039e2b...67.exe

windows7-x64

10

1b7f039e2b...67.exe

windows10-2004-x64

10

1bc393e569...5e.exe

windows7-x64

10

1bc393e569...5e.exe

windows10-2004-x64

10

1d25e50b1c...af.exe

windows7-x64

10

1d25e50b1c...af.exe

windows10-2004-x64

10

1d9b74bfd7...93.exe

windows7-x64

10

1d9b74bfd7...93.exe

windows10-2004-x64

10

1e62a268e2...29.exe

windows7-x64

10

1e62a268e2...29.exe

windows10-2004-x64

10

1ed6220c49...b1.exe

windows7-x64

10

1ed6220c49...b1.exe

windows10-2004-x64

10

1ee2d1e645...0a.exe

windows7-x64

10

1ee2d1e645...0a.exe

windows10-2004-x64

10

1f7f6ca2d7...0a.exe

windows7-x64

10

1f7f6ca2d7...0a.exe

windows10-2004-x64

10

1f9c6d71f4...5a.exe

windows7-x64

10

1f9c6d71f4...5a.exe

windows10-2004-x64

10

20573eab37...45.exe

windows7-x64

10

20573eab37...45.exe

windows10-2004-x64

10

20d1c11837...7d.exe

windows7-x64

10

20d1c11837...7d.exe

windows10-2004-x64

10

20e0fb805b...2e.exe

windows7-x64

10

20e0fb805b...2e.exe

windows10-2004-x64

10

2122f46b77...53.exe

windows7-x64

10

2122f46b77...53.exe

windows10-2004-x64

10

21550d2e10...4f.exe

windows7-x64

10

21550d2e10...4f.exe

windows10-2004-x64

10

235041460f...03.exe

windows7-x64

1

235041460f...03.exe

windows10-2004-x64

10

2356c0cbe0...de.doc

windows7-x64

10

2356c0cbe0...de.doc

windows10-2004-x64

10

Resubmissions

24-07-2023 06:32

230724-haylwaag65 10

16-07-2023 18:15

230716-wwbacshb7z 10

Analysis

  • max time kernel
    126s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    24-07-2023 06:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf.exe

  • Size

    1.1MB

  • MD5

    f69261837f9da67ec44f9162d322b7ba

  • SHA1

    953f07ea48032eab7dbfb0ba4eb27c323678694e

  • SHA256

    1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf

  • SHA512

    ae982649b499c4a779d304c77db55ffce2da2b5ef0618ff9b32e640edcb5e892bbd8bedfada32a51449f245a4f566bcb7e98c7e40672863dda52a3a1ec8026c7

  • SSDEEP

    12288:ZuN51q9I6/kldSCGDyaod+ik4g8y3SoDOqvFR/CFFeY+qwBzn5D8:ZuN5OPW2rEloDOqvCFFdcv

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.bosut.mk
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    0XsKEemhd6EE

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 6 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf.exe
    "C:\Users\Admin\AppData\Local\Temp\1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxgSPTGiVwGP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C15.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:592
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:2344

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5C15.tmp
    Filesize

    1KB

    MD5

    7dbb9bee77e32acea8f1351030ad7510

    SHA1

    d5feb9642758a96018c332e326604b47b2868e58

    SHA256

    f592bc45d52560308f7e1fecdd2e36a7d0d84fea32c077a518c915112115a294

    SHA512

    fb9375b9476e1fbd13923872eda4eae3a5bbcd36f340c3d118baa1766b5c5b7eab097c97247192f8a9b5de28abe1de7480b5c8844d51d135ee7d1f33ac5a1d48

    Download Submit
  • memory/1240-54-0x0000000000E80000-0x0000000000FA8000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1240-55-0x0000000074830000-0x0000000074F1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1240-56-0x00000000002F0000-0x00000000002FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1240-57-0x0000000074830000-0x0000000074F1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1240-58-0x0000000004AF0000-0x0000000004B30000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1240-59-0x0000000000E10000-0x0000000000E62000-memory.dmp
    Filesize

    328KB

    Download
  • memory/1240-60-0x0000000004AF0000-0x0000000004B30000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1240-74-0x0000000074830000-0x0000000074F1E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2344-68-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/2344-66-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/2344-69-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/2344-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2344-72-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/2344-64-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/2344-75-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/2344-77-0x0000000000400000-0x000000000044A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/2344-78-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2344-79-0x00000000048B0000-0x00000000048F0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2344-80-0x00000000739D0000-0x00000000740BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2344-81-0x00000000048B0000-0x00000000048F0000-memory.dmp
    Filesize

    256KB

    Download