Overview

overview

10

Static

static

3

MT103.exe

windows7-x64

10

MT103.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    24/10/2023, 07:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MT103.exe

  • Size

    826KB

  • MD5

    d7f9bee72b5fb757c3d4435f83d344bf

  • SHA1

    a97126eb888dc4afd78ae67366251aa203c4204d

  • SHA256

    bb7252a742ea82d9ef1b61dc258dfee4b29e20f66b75672924205156ea4eaa57

  • SHA512

    7e07fc6fff5a01f975a3841097a7b072480c86587eb4fe08d0d914702e4ac3b0163b764e2e0ad7b63a74f9efe737d959b7080d157331d2b7255cb960a8413b4e

  • SSDEEP

    24576:w/WqOpe43HeAEd95NF99NLjhThIIVS3z:w/WqCPeAE75b9zjDInz

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MT103.exe
    "C:\Users\Admin\AppData\Local\Temp\MT103.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1140
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\MT103.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2728
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uLxvgZD.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2644
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uLxvgZD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31BA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2660
    • C:\Users\Admin\AppData\Local\Temp\MT103.exe
      "C:\Users\Admin\AppData\Local\Temp\MT103.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp31BA.tmp
    Filesize

    1KB

    MD5

    47dfb9a07c9ac78f06608b0b79543815

    SHA1

    022d6d805d0d5716909816e34a7313982ba929d1

    SHA256

    a72de17f9be61a1afd01d42571c234ce658e99d6af7c08dd2eea1f5f7707bbde

    SHA512

    f99a0260d88ac178f151629cc5ed5e4de2b5d680d85f86817ed096fc8d4edf2e53ad411ab227165d5cb5fbd9329113e2e621fa989e2d05c427a7aaf6996d8c0f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    2f5f82cb9cd7e723c2fda744d4e0229a

    SHA1

    11ee241a3e5deff1f646b0e5174ba32a102c59d0

    SHA256

    0c6aa76cd04e0f9abc1b6e72c3c411fef42e75d8c0b7650fb0184f7f179e73ba

    SHA512

    819e47f62d39a129ea491878e755342ad8996396494939ec6e40fa39ebdc9e7cff3296c70a39967dba0c9238a6745ed9f4707673b2b365bdad563f1637d9f366

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    2f5f82cb9cd7e723c2fda744d4e0229a

    SHA1

    11ee241a3e5deff1f646b0e5174ba32a102c59d0

    SHA256

    0c6aa76cd04e0f9abc1b6e72c3c411fef42e75d8c0b7650fb0184f7f179e73ba

    SHA512

    819e47f62d39a129ea491878e755342ad8996396494939ec6e40fa39ebdc9e7cff3296c70a39967dba0c9238a6745ed9f4707673b2b365bdad563f1637d9f366

    Download Submit

  • memory/1140-3-0x00000000003F0000-0x000000000040E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1140-4-0x0000000074650000-0x0000000074D3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1140-5-0x0000000004A70000-0x0000000004AB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1140-6-0x0000000000410000-0x000000000041C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/1140-7-0x0000000000540000-0x0000000000550000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1140-8-0x0000000005560000-0x00000000055DA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1140-0-0x0000000000A80000-0x0000000000B54000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1140-2-0x0000000004A70000-0x0000000004AB0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1140-1-0x0000000074650000-0x0000000074D3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1140-33-0x0000000074650000-0x0000000074D3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1324-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1324-35-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1324-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1324-22-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1324-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1324-20-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1324-32-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1324-48-0x0000000073190000-0x000000007387E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1324-49-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1324-41-0x0000000004AB0000-0x0000000004AF0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1324-40-0x0000000073190000-0x000000007387E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1324-24-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2644-38-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-37-0x000000006E340000-0x000000006E8EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2644-42-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2644-46-0x000000006E340000-0x000000006E8EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2728-39-0x000000006E340000-0x000000006E8EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2728-44-0x0000000001D60000-0x0000000001DA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2728-45-0x0000000001D60000-0x0000000001DA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2728-47-0x000000006E340000-0x000000006E8EB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2728-43-0x0000000001D60000-0x0000000001DA0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2728-36-0x000000006E340000-0x000000006E8EB000-memory.dmp

    Filesize

    5.7MB

    Download