Overview

overview

10

Static

static

3

5b53817510...c8.exe

windows7-x64

10

5b53817510...c8.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/08/2023, 02:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5b5381751013c31e8c08e428719cd3921a04cee5c623afc80bdd9bb61184bac8.exe

  • Size

    301KB

  • MD5

    41279bcbfec0ec860dd662ea72006150

  • SHA1

    06a32a46b9f2c49766f7f559c267571277fa6b7d

  • SHA256

    5b5381751013c31e8c08e428719cd3921a04cee5c623afc80bdd9bb61184bac8

  • SHA512

    83ac2355c10bfc0c5a3eda87b243069b1a5bb3d84079a1d4e82a5da917b4c97799ea30be8eab6f8598768d62b2c73cb2ecfc46ae59dca3e17a6befc234e10154

  • SSDEEP

    6144:/Ya61fAcGUqFKEi33DnhflyfeqR6SKvGChol6/lj:/YHZGrKEw3Dn7jqR7PCWe

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    smtp.elec-qatar.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    MHabrar2019@#

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5b5381751013c31e8c08e428719cd3921a04cee5c623afc80bdd9bb61184bac8.exe
    "C:\Users\Admin\AppData\Local\Temp\5b5381751013c31e8c08e428719cd3921a04cee5c623afc80bdd9bb61184bac8.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Users\Admin\AppData\Local\Temp\5b5381751013c31e8c08e428719cd3921a04cee5c623afc80bdd9bb61184bac8.exe
      "C:\Users\Admin\AppData\Local\Temp\5b5381751013c31e8c08e428719cd3921a04cee5c623afc80bdd9bb61184bac8.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\nso5E4E.tmp\gxqxxsh.dll
    Filesize

    83KB

    MD5

    bf18a0a2cddbfb169118a27a103ce2c3

    SHA1

    07721981869927af3a3031260f6963995dd78341

    SHA256

    017d033f7513f2eac5892f0db5fbf491a45f38b96bed683ee96ef775c42ea12a

    SHA512

    2e730bd9aea0ea3c917f4cf8e54a551b69da2e405b8632dc54e8bece45ada8dbe3c026b933d8d0283eb17475214981ca105a81b7620380e98a319d6ea30aad12

    Download Submit

  • memory/2244-148-0x00000000049C0000-0x0000000004F64000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2244-140-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2244-141-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2244-168-0x00000000049B0000-0x00000000049C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2244-143-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2244-144-0x0000000000400000-0x0000000000441000-memory.dmp

    Filesize

    260KB

    Download

  • memory/2244-145-0x0000000075340000-0x0000000075AF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2244-146-0x00000000049B0000-0x00000000049C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2244-166-0x00000000049B0000-0x00000000049C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2244-147-0x00000000049B0000-0x00000000049C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2244-151-0x00000000055D0000-0x0000000005620000-memory.dmp

    Filesize

    320KB

    Download

  • memory/2244-150-0x0000000004FE0000-0x0000000005046000-memory.dmp

    Filesize

    408KB

    Download

  • memory/2244-149-0x00000000049B0000-0x00000000049C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2244-152-0x0000000005620000-0x00000000057E2000-memory.dmp

    Filesize

    1.8MB

    Download

  • memory/2244-162-0x0000000005910000-0x00000000059AC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/2244-163-0x0000000005CB0000-0x0000000005D42000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2244-164-0x0000000005DD0000-0x0000000005DDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2244-165-0x0000000075340000-0x0000000075AF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3904-139-0x0000000075080000-0x0000000075099000-memory.dmp

    Filesize

    100KB

    Download

  • memory/3904-142-0x0000000075080000-0x0000000075099000-memory.dmp

    Filesize

    100KB

    Download