Overview

overview

10

Static

static

3

420a2c200f...67.exe

windows7-x64

10

420a2c200f...67.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-09-2023 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    420a2c200fde9d62bc040616edd62949aec77d6e39bf864602f584792fc8e867.exe

  • Size

    12KB

  • MD5

    1eef9f1c50a5362d4ff555b6cc5bc5df

  • SHA1

    caa4099e942052634cea6fc2866d9652f09cf546

  • SHA256

    420a2c200fde9d62bc040616edd62949aec77d6e39bf864602f584792fc8e867

  • SHA512

    56c41cf987ba22ddac2cac9ef10e3dbadf2abd99ca0ed3510883d532cc5d1625ce50426308b8e91bd20645e3812074b31b977976646d751621dd18a92b877218

  • SSDEEP

    192:nlv0pHLdF1bvM+A4tLHwpTxHR95w0J1dZdckF+syKtieOv:d+Lxbk+A4tTyFSvsyuDO

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\420a2c200fde9d62bc040616edd62949aec77d6e39bf864602f584792fc8e867.exe
    "C:\Users\Admin\AppData\Local\Temp\420a2c200fde9d62bc040616edd62949aec77d6e39bf864602f584792fc8e867.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\BIN.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\BIN.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3172
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
        3⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:4320
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 1 & Del "C:\Users\Admin\AppData\Local\Temp\420a2c200fde9d62bc040616edd62949aec77d6e39bf864602f584792fc8e867.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\system32\choice.exe
        choice /C Y /N /D Y /T 1
        3⤵
          PID:3692

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\BIN.exe
      Filesize

      53KB

      MD5

      46bb9de6f56bf249a4e78e2a5068e425

      SHA1

      97c7b74d4ac79ee23884e69c61c4016ad35eaeab

      SHA256

      3a4b1e3cc1e298ce7440831ab41ef87b16e219175881350395564b81359889d6

      SHA512

      150bc10ee344a0f84cb6e8e3208640bd0557e4ef3c258f00a79faa0a370cc3fc6643e1a606727260ebc3d649ef89e917c51d4ccdd339aa286afd512e1fa9f065

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\BIN.exe
      Filesize

      53KB

      MD5

      46bb9de6f56bf249a4e78e2a5068e425

      SHA1

      97c7b74d4ac79ee23884e69c61c4016ad35eaeab

      SHA256

      3a4b1e3cc1e298ce7440831ab41ef87b16e219175881350395564b81359889d6

      SHA512

      150bc10ee344a0f84cb6e8e3208640bd0557e4ef3c258f00a79faa0a370cc3fc6643e1a606727260ebc3d649ef89e917c51d4ccdd339aa286afd512e1fa9f065

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\BIN.exe
      Filesize

      53KB

      MD5

      46bb9de6f56bf249a4e78e2a5068e425

      SHA1

      97c7b74d4ac79ee23884e69c61c4016ad35eaeab

      SHA256

      3a4b1e3cc1e298ce7440831ab41ef87b16e219175881350395564b81359889d6

      SHA512

      150bc10ee344a0f84cb6e8e3208640bd0557e4ef3c258f00a79faa0a370cc3fc6643e1a606727260ebc3d649ef89e917c51d4ccdd339aa286afd512e1fa9f065

      Download Submit

    • memory/2076-15-0x00007FFCB7B70000-0x00007FFCB8631000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2076-2-0x000002769C0F0000-0x000002769C100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2076-1-0x00007FFCB7B70000-0x00007FFCB8631000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2076-0-0x0000027681A20000-0x0000027681A2A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/3172-24-0x0000000074EF0000-0x00000000756A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3172-16-0x0000000074EF0000-0x00000000756A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/3172-17-0x0000000000900000-0x0000000000916000-memory.dmp

      Filesize

      88KB

      Download

    • memory/3172-18-0x0000000002D70000-0x0000000002D76000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3172-19-0x0000000005160000-0x0000000005170000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3172-20-0x0000000002C40000-0x0000000002C52000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4320-21-0x0000000000400000-0x0000000000430000-memory.dmp

      Filesize

      192KB

      Download

    • memory/4320-23-0x0000000074EF0000-0x00000000756A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4320-25-0x0000000005CB0000-0x0000000006254000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4320-26-0x0000000005800000-0x0000000005810000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4320-27-0x0000000005810000-0x0000000005876000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4320-28-0x0000000006900000-0x0000000006992000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4320-29-0x0000000006870000-0x000000000687A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4320-30-0x0000000006B80000-0x0000000006BD0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4320-31-0x0000000006DA0000-0x0000000006F62000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/4320-32-0x0000000074EF0000-0x00000000756A0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4320-33-0x0000000005800000-0x0000000005810000-memory.dmp

      Filesize

      64KB

      Download