Overview

overview

10

Static

static

3

Statement ...__.exe

windows7-x64

10

Statement ...__.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    04/10/2023, 16:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Statement Of Account.pdf_________________________________________________________________.exe

  • Size

    578KB

  • MD5

    f7659e75c69e47b6fd42687ed60390d4

  • SHA1

    ab96112413731eb7601bd5168c358334c81e9edf

  • SHA256

    c94c3741876b0ec763fa759b91c10d941c12626e84ef0d43c6c64cec7959f4f8

  • SHA512

    5fe2b981c292a79c4c31917c330fd7bca33326b7b4fd5254efb07a1e40871b772ef15ed0198a7b68a7dc52db18ba83936cd1f85a5ba975d87c9e92f1c8c415f0

  • SSDEEP

    12288:x8zS55mFzD8jtsA6TwAaRhF0ThzIfDaXworitkvpALaek6m+I2i:xf55qatsD8BRhiThz+DUpr1p+Nk6m+ji

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Statement Of Account.pdf_________________________________________________________________.exe
    "C:\Users\Admin\AppData\Local\Temp\Statement Of Account.pdf_________________________________________________________________.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Statement Of Account.pdf_________________________________________________________________.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\QVvBWxyKTBqTq.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\QVvBWxyKTBqTq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDD25.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2788
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:2588

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmpDD25.tmp
            Filesize

            1KB

            MD5

            dc2fb60fcdfcb4647fc54f31750a0fef

            SHA1

            6d6fb58806e0cb323f82245bfdba4e06a4b76cb4

            SHA256

            920bffd21a8a9dc6fad50e3a6bfb69e683fa9be7e3191bc322142bd947558b3d

            SHA512

            221912f958813b808ae18798ecf8ca5dac3b6c995e285cdcf7f611f8d8492a91ec361259cea26d9942fb70a75046443e706630e0df5483be879dfb557c4980f9

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RMQ4H3W0YLHPK8VNH39U.temp
            Filesize

            7KB

            MD5

            ffec2ab8c79ecd3eaf57b688d4acc245

            SHA1

            5ee465518378db9cea2ad1f0311bb21364a76b93

            SHA256

            f31011199851409c1095efd6b4ba8a05f00d8800c9265b6364fa2acc78edc656

            SHA512

            6aaf9decde0701f5f846a04730b796bbc4ce939ac8ac946acb5187c7571dd0ecf27edfd19179ead46615f4b95f046196a74c0096f6466c17c603162f75b4bc76

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
            Filesize

            7KB

            MD5

            ffec2ab8c79ecd3eaf57b688d4acc245

            SHA1

            5ee465518378db9cea2ad1f0311bb21364a76b93

            SHA256

            f31011199851409c1095efd6b4ba8a05f00d8800c9265b6364fa2acc78edc656

            SHA512

            6aaf9decde0701f5f846a04730b796bbc4ce939ac8ac946acb5187c7571dd0ecf27edfd19179ead46615f4b95f046196a74c0096f6466c17c603162f75b4bc76

            Download Submit

          • memory/2076-5-0x0000000004C80000-0x0000000004CC0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2076-0-0x00000000002D0000-0x0000000000366000-memory.dmp

            Filesize

            600KB

            Download

          • memory/2076-6-0x00000000003B0000-0x00000000003C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2076-7-0x0000000004CC0000-0x0000000004D2A000-memory.dmp

            Filesize

            424KB

            Download

          • memory/2076-3-0x00000000003D0000-0x00000000003E8000-memory.dmp

            Filesize

            96KB

            Download

          • memory/2076-2-0x0000000004C80000-0x0000000004CC0000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2076-1-0x0000000074AE0000-0x00000000751CE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2076-4-0x0000000074AE0000-0x00000000751CE000-memory.dmp

            Filesize

            6.9MB

            Download

          • memory/2588-26-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2588-31-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2588-30-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2588-28-0x0000000000400000-0x0000000000430000-memory.dmp

            Filesize

            192KB

            Download

          • memory/2756-21-0x000000006F910000-0x000000006FEBB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2756-25-0x0000000002940000-0x0000000002980000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2756-23-0x000000006F910000-0x000000006FEBB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2756-33-0x000000006F910000-0x000000006FEBB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2776-24-0x000000006F910000-0x000000006FEBB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2776-22-0x0000000002620000-0x0000000002660000-memory.dmp

            Filesize

            256KB

            Download

          • memory/2776-20-0x000000006F910000-0x000000006FEBB000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/2776-32-0x000000006F910000-0x000000006FEBB000-memory.dmp

            Filesize

            5.7MB

            Download