Overview

overview

10

Static

static

3

united sci...nt.exe

windows7-x64

10

united sci...nt.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    435s
  • max time network
    443s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    12-10-2023 03:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    united scientific equipent.exe

  • Size

    710KB

  • MD5

    71536be72d8cc9dc156f1ff70b7f69a5

  • SHA1

    ff0bb0d7e4dfa01c187c80d2e42d85feb22d98b9

  • SHA256

    9909753bfb0ac8ab165bab3555233d03b01a9274a92e57c022f87ccbe51ca415

  • SHA512

    9a98d57116a638e4ec0df224c243a074de233bf1859ea6a5efbf0d4d36ef470a9421d535e2d35371c1191d72f09aa0352ba9d147dae62ef6e4fc5c0650df07c9

  • SSDEEP

    12288:v1XZi970Oz6hGy69oswvYeMW5+uCwpla6Mqbjvkgb3I9S0dbp5Ne:dXZ7DnY/WcuCd1qbjvkWI9S0Fp5Ne

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.cybernetics.co.za
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    P@ssw0rd

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe
    "C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lyganvy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE932.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:220
    • C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe
      "C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"
      2⤵
        PID:4236
      • C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe
        "C:\Users\Admin\AppData\Local\Temp\united scientific equipent.exe"
        2⤵
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:4768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\united scientific equipent.exe.log
      Filesize

      1KB

      MD5

      17573558c4e714f606f997e5157afaac

      SHA1

      13e16e9415ceef429aaf124139671ebeca09ed23

      SHA256

      c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553

      SHA512

      f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tmpE932.tmp
      Filesize

      1KB

      MD5

      7e4996d1cf7eba9e5f341b83089d46b8

      SHA1

      d3a6ec04f4350f32a5e77a6a6cc816a0b9abdc33

      SHA256

      f375585fc91ee7857f2cc4b528273f55fa09d2a4a139bf25eb738321ed8a6884

      SHA512

      1864463d63ddf4a91ad9157af34a1ced1454f5545daf8c21f6b16ca9b06cf15ff854c7bcdf7ddfcdd691201555e8b6d99c66678d55afcc62c8a1df48f752de29

      Download Submit

    • memory/2680-12-0x0000000006E70000-0x0000000006F72000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2680-9-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2680-4-0x00000000056B0000-0x0000000005742000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2680-5-0x0000000005550000-0x0000000005560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2680-6-0x0000000005630000-0x000000000563A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2680-7-0x00000000058A0000-0x00000000058F6000-memory.dmp

      Filesize

      344KB

      Download

    • memory/2680-8-0x0000000005A60000-0x0000000005A6A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2680-22-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2680-10-0x0000000005550000-0x0000000005560000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2680-11-0x0000000001580000-0x00000000015F4000-memory.dmp

      Filesize

      464KB

      Download

    • memory/2680-1-0x0000000000C10000-0x0000000000CC8000-memory.dmp

      Filesize

      736KB

      Download

    • memory/2680-3-0x0000000005BC0000-0x0000000006164000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2680-2-0x0000000005570000-0x000000000560C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2680-0-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4768-28-0x0000000002490000-0x00000000024D0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4768-18-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4768-23-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4768-24-0x0000000004F60000-0x0000000004F78000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4768-25-0x0000000005C20000-0x0000000005C86000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4768-26-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4768-27-0x0000000004F10000-0x0000000004F20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4768-21-0x0000000074BB0000-0x0000000075360000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4768-29-0x0000000000B50000-0x0000000000BA0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4768-30-0x00000000051C0000-0x00000000051D2000-memory.dmp

      Filesize

      72KB

      Download