Overview

overview

10

Static

static

3

docdav20230926.exe

windows7-x64

10

docdav20230926.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    162s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 14:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    docdav20230926.exe

  • Size

    1.1MB

  • MD5

    909d39242d301cc07ffc6196bb487939

  • SHA1

    1025f0ad973b6423d58022fc50059fbfd1eac425

  • SHA256

    573df9fa921ac9c03d681fd60ca7488df873ff8d1d5f6f8a11807e3189af4761

  • SHA512

    b6cfbba8ac398292e4d048c5c648cb85ae20bbf804829e36f92d7a1206720eff20c5f2fbf771c1d79cca9c8de9c143b7cc0f84588dde072632f364c452de8016

  • SSDEEP

    12288:Ow7KEJ0aIgurDVQjqREzY3O8tA3QHNu6m15r1/jc/2eUsD:NKE8VQj+EU3Q3QtHm/5/A/XUsD

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.product-secured.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    575K5(MaZro2575K5(MaZro2

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\docdav20230926.exe
    "C:\Users\Admin\AppData\Local\Temp\docdav20230926.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3720
    • C:\Users\Admin\AppData\Local\Temp\docdav20230926.exe
      "C:\Users\Admin\AppData\Local\Temp\docdav20230926.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • outlook_office_path
      • outlook_win_path
      PID:1248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1248-13-0x0000000074E30000-0x00000000755E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1248-11-0x00000000057B0000-0x0000000005816000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1248-10-0x0000000005730000-0x0000000005740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1248-8-0x0000000074E30000-0x00000000755E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1248-17-0x0000000007080000-0x0000000007112000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1248-16-0x0000000006F40000-0x0000000006FDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1248-15-0x0000000006E50000-0x0000000006EA0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1248-7-0x0000000000400000-0x0000000000444000-memory.dmp

    Filesize

    272KB

    Download

  • memory/1248-18-0x0000000007020000-0x000000000702A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1248-14-0x0000000005730000-0x0000000005740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3720-5-0x00000000054F0000-0x0000000005500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3720-3-0x0000000005AB0000-0x0000000006054000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3720-0-0x0000000000A50000-0x0000000000B70000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3720-2-0x0000000074E30000-0x00000000755E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3720-6-0x00000000057F0000-0x0000000005890000-memory.dmp

    Filesize

    640KB

    Download

  • memory/3720-1-0x0000000074E30000-0x00000000755E0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3720-4-0x00000000054F0000-0x0000000005500000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3720-12-0x0000000074E30000-0x00000000755E0000-memory.dmp

    Filesize

    7.7MB

    Download