Overview

overview

10

Static

static

3

dekontS009...97.exe

windows7-x64

10

dekontS009...97.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-09-2023 14:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dekontS009892823120097.exe

  • Size

    674KB

  • MD5

    ae60c35242d7b40242f3534b9b44ab8c

  • SHA1

    971f54b01e13c655cc8b639071482cfd8d1126a7

  • SHA256

    1fa1508619e68627140eaffb803b566bf5123fedf75b1954185f8ea2459b6e53

  • SHA512

    2a146407773ae757b061eefcb78aaaf771068db0b22dc27e98113607557839cea19e10a42d3bbf411901b6828e316d34b429c5961666caaf467111886a762804

  • SSDEEP

    12288:2rD6jT0DvJNf3Qojcu2RaSf02kwn8MKu2XVa6+jMUfCu0K:8D6T0DBNTjdOfb8hu2lGjMUfiK

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6437062908:AAEjLF9P2SzySTsTGgeQXxxJNFNfbLGUHH4/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dekontS009892823120097.exe
    "C:\Users\Admin\AppData\Local\Temp\dekontS009892823120097.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Users\Admin\AppData\Local\Temp\dekontS009892823120097.exe
      "C:\Users\Admin\AppData\Local\Temp\dekontS009892823120097.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:4676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\dekontS009892823120097.exe.log
    Filesize

    1KB

    MD5

    27b2fec2a6283b09ef15bd709cb96c3d

    SHA1

    728585dd6390edf7806524dcf4bf18139632a001

    SHA256

    451a266b23424f3075e68b990cb90c7c177d48a64688c39ee77a4e9e239cf311

    SHA512

    bb10e90a881b259b1b90e54a1451f660c96e900576000a294cd1311ac5a6d3b3567cc7ad169ed26ff38719d65462ad31b2247e0f80118dd693f45927255de50b

    Download Submit

  • memory/4676-13-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4676-22-0x0000000005350000-0x0000000005360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4676-21-0x00000000751C0000-0x0000000075970000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4676-20-0x0000000006A20000-0x0000000006A70000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4676-18-0x00000000053D0000-0x0000000005436000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4676-19-0x0000000005350000-0x0000000005360000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4676-16-0x00000000751C0000-0x0000000075970000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4700-5-0x00000000052E0000-0x00000000052EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4700-6-0x0000000005590000-0x00000000055AA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4700-10-0x00000000059D0000-0x00000000059DC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4700-11-0x0000000006A70000-0x0000000006AEC000-memory.dmp

    Filesize

    496KB

    Download

  • memory/4700-12-0x00000000092F0000-0x000000000938C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/4700-8-0x00000000055F0000-0x0000000005600000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4700-7-0x00000000751C0000-0x0000000075970000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4700-9-0x00000000059C0000-0x00000000059CA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4700-17-0x00000000751C0000-0x0000000075970000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4700-0-0x00000000751C0000-0x0000000075970000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4700-4-0x00000000055F0000-0x0000000005600000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4700-3-0x0000000005340000-0x00000000053D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4700-2-0x0000000005A50000-0x0000000005FF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4700-1-0x00000000009E0000-0x0000000000A8E000-memory.dmp

    Filesize

    696KB

    Download