Overview

overview

10

Static

static

3

Shipping_D...90.exe

windows7-x64

10

Shipping_D...90.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09/10/2023, 07:50

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping_Document-001222890.exe

  • Size

    782KB

  • MD5

    f2fe88b581743e12a33d2218ea90c470

  • SHA1

    8538b393ee59d2e0fc286e23d8a1d999f3249f14

  • SHA256

    1f22495e0f459d46c901746a490c146552173cb83d629bdb694f5961c09be657

  • SHA512

    4596943cd12032dbcd8b962050fe43abff7c78030c471b6df56644ffa95bfd27ea0a1a42adedfc188c3933f0d33ba190f26de98ecc8347a2633c5b1857a21a35

  • SSDEEP

    12288:Ktx1TuJM7w/QwacdVS6j4xgZYv/cNoPLx+hkQPFtF:iJZw3Nj4hcePLxukQPF

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipping_Document-001222890.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping_Document-001222890.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3748
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jhEapWyuDHo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp414A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3792
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "{path}"
      2⤵
        PID:3268
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "{path}"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • outlook_office_path
        • outlook_win_path
        PID:3080

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\tmp414A.tmp
            Filesize

            1KB

            MD5

            4e68a8253b547899d802f98b7114f745

            SHA1

            eee6a63e65184a72b44e5100fe4e26048cd78fb5

            SHA256

            b8d39fda5fcc364575dada4645592d7bfa8b02fdce26f091b57cf7d0a73e488f

            SHA512

            4d871f465691b6aeb230f143c12773df653bc456077643290aed428460ed89698618919e6f0b443e5235bca5d6c9c78d584350c5dfbdecb05abbeead8bd58e7a

            Download Submit

          • memory/3080-24-0x0000000005520000-0x0000000005530000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3080-23-0x0000000074BA0000-0x0000000075350000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3080-22-0x00000000068F0000-0x0000000006940000-memory.dmp

            Filesize

            320KB

            Download

          • memory/3080-20-0x0000000005380000-0x00000000053E6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3080-19-0x0000000005520000-0x0000000005530000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3080-18-0x0000000074BA0000-0x0000000075350000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3080-15-0x0000000000400000-0x0000000000442000-memory.dmp

            Filesize

            264KB

            Download

          • memory/3748-5-0x00000000059C0000-0x0000000005A52000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3748-9-0x0000000074BA0000-0x0000000075350000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3748-10-0x00000000075B0000-0x0000000007630000-memory.dmp

            Filesize

            512KB

            Download

          • memory/3748-11-0x00000000074A0000-0x00000000074E2000-memory.dmp

            Filesize

            264KB

            Download

          • memory/3748-8-0x0000000006040000-0x000000000604C000-memory.dmp

            Filesize

            48KB

            Download

          • memory/3748-6-0x0000000005960000-0x000000000596A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3748-17-0x0000000074BA0000-0x0000000075350000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3748-7-0x0000000005BF0000-0x0000000005C46000-memory.dmp

            Filesize

            344KB

            Download

          • memory/3748-0-0x0000000000E00000-0x0000000000EC8000-memory.dmp

            Filesize

            800KB

            Download

          • memory/3748-4-0x0000000006050000-0x00000000065F4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3748-3-0x0000000005A90000-0x0000000005AA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3748-2-0x0000000005880000-0x000000000591C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/3748-1-0x0000000074BA0000-0x0000000075350000-memory.dmp

            Filesize

            7.7MB

            Download