Overview

overview

10

Static

static

3

controvoke2.1.exe

windows7-x64

10

controvoke2.1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    28/08/2023, 18:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    controvoke2.1.exe

  • Size

    411KB

  • MD5

    3c235c238a38a7dc10d78f0ba080587f

  • SHA1

    c3793be872f2621f25aa858391657967a749eed2

  • SHA256

    11e6f0a94e14abfea4bdbde34de5d22b2428775f23a5ecf32c0382d9b4e23e0f

  • SHA512

    180ac1fb17e1909041897bed7ca9301c2a4b75a251be815b6ff215e05a37aee85685fbc8b59552f956fd97a9f25ab658a4584f777b26f72caa3291c79e340959

  • SSDEEP

    12288:2YdrUBonHv0ExODZoyXqqT4yX8TpiImGVeBsg:2YFUo/xmZMbMWVlg

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\controvoke2.1.exe
    "C:\Users\Admin\AppData\Local\Temp\controvoke2.1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2060
    • C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe
      "C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3000
      • C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe
        "C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1868

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\pptve.eqc
          Filesize

          336KB

          MD5

          9eb099e5c928e2be363652590e021ad1

          SHA1

          36d6add7395bc509737ae10a0d0ae1b9e33eaf71

          SHA256

          fc5242d4904704be57768e996fe494ace2aa6d933138f5acf6841a36f429504d

          SHA512

          3ba00ce003a70a6c31ebdd6da73886a09e72cea2b2d3bde7d8280f714ff0103c90eaecbf0251c2f42532ae7065c92f766f4776f60e8037c3117bd3765a6318d3

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe
          Filesize

          180KB

          MD5

          94b2ea1a3022b923e5af0eb721b41f83

          SHA1

          babcaa8f79d14fda035808a372101d6a3d370789

          SHA256

          ce54f7b569b8b8308fbffa1944569606c8eb6e65547a901256b059367c163bbf

          SHA512

          16a6fa5e98adca3aec5c3ce628829eda2f0b0342709f9457b17c7012e5f2649b6968a5db18ea42945cb898a426a40bcb34ad4d53412e1ef1c7c579f339c7ed1e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe
          Filesize

          180KB

          MD5

          94b2ea1a3022b923e5af0eb721b41f83

          SHA1

          babcaa8f79d14fda035808a372101d6a3d370789

          SHA256

          ce54f7b569b8b8308fbffa1944569606c8eb6e65547a901256b059367c163bbf

          SHA512

          16a6fa5e98adca3aec5c3ce628829eda2f0b0342709f9457b17c7012e5f2649b6968a5db18ea42945cb898a426a40bcb34ad4d53412e1ef1c7c579f339c7ed1e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\zuwafjld.exe
          Filesize

          180KB

          MD5

          94b2ea1a3022b923e5af0eb721b41f83

          SHA1

          babcaa8f79d14fda035808a372101d6a3d370789

          SHA256

          ce54f7b569b8b8308fbffa1944569606c8eb6e65547a901256b059367c163bbf

          SHA512

          16a6fa5e98adca3aec5c3ce628829eda2f0b0342709f9457b17c7012e5f2649b6968a5db18ea42945cb898a426a40bcb34ad4d53412e1ef1c7c579f339c7ed1e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\zuwafjld.exe
          Filesize

          180KB

          MD5

          94b2ea1a3022b923e5af0eb721b41f83

          SHA1

          babcaa8f79d14fda035808a372101d6a3d370789

          SHA256

          ce54f7b569b8b8308fbffa1944569606c8eb6e65547a901256b059367c163bbf

          SHA512

          16a6fa5e98adca3aec5c3ce628829eda2f0b0342709f9457b17c7012e5f2649b6968a5db18ea42945cb898a426a40bcb34ad4d53412e1ef1c7c579f339c7ed1e

          Download Submit

        • \Users\Admin\AppData\Local\Temp\zuwafjld.exe
          Filesize

          180KB

          MD5

          94b2ea1a3022b923e5af0eb721b41f83

          SHA1

          babcaa8f79d14fda035808a372101d6a3d370789

          SHA256

          ce54f7b569b8b8308fbffa1944569606c8eb6e65547a901256b059367c163bbf

          SHA512

          16a6fa5e98adca3aec5c3ce628829eda2f0b0342709f9457b17c7012e5f2649b6968a5db18ea42945cb898a426a40bcb34ad4d53412e1ef1c7c579f339c7ed1e

          Download Submit

        • memory/1868-14-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

          Download

        • memory/1868-10-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

          Download

        • memory/1868-15-0x0000000000400000-0x0000000000453000-memory.dmp

          Filesize

          332KB

          Download

        • memory/1868-17-0x0000000074940000-0x000000007502E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1868-16-0x0000000004450000-0x0000000004492000-memory.dmp

          Filesize

          264KB

          Download

        • memory/1868-18-0x00000000044C0000-0x0000000004500000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1868-19-0x00000000044C0000-0x0000000004500000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1868-20-0x00000000044C0000-0x0000000004500000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1868-21-0x0000000074940000-0x000000007502E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/3000-6-0x00000000001D0000-0x00000000001D2000-memory.dmp

          Filesize

          8KB

          Download