Overview

overview

10

Static

static

10

231121-01-...d4.exe

windows7-x64

10

231121-01-...d4.exe

windows10-2004-x64

10

231121-02-...4c.exe

windows7-x64

10

231121-02-...4c.exe

windows10-2004-x64

10

231121-03-...94.exe

windows7-x64

10

231121-03-...94.exe

windows10-2004-x64

10

231121-04-...05.exe

windows7-x64

10

231121-04-...05.exe

windows10-2004-x64

10

231121-05-...29.exe

windows7-x64

10

231121-05-...29.exe

windows10-2004-x64

10

231121-06-...a6.exe

windows7-x64

10

231121-06-...a6.exe

windows10-2004-x64

10

231121-07-...6a.exe

windows7-x64

10

231121-07-...6a.exe

windows10-2004-x64

10

231121-08-...84.exe

windows7-x64

10

231121-08-...84.exe

windows10-2004-x64

10

231121-09-...c4.exe

windows7-x64

10

231121-09-...c4.exe

windows10-2004-x64

10

231121-10-...ec.exe

windows7-x64

10

231121-10-...ec.exe

windows10-2004-x64

10

231121-11-...bc.exe

windows7-x64

10

231121-11-...bc.exe

windows10-2004-x64

10

231121-12-...1d.exe

windows7-x64

10

231121-12-...1d.exe

windows10-2004-x64

10

231121-13-...5e.exe

windows7-x64

10

231121-13-...5e.exe

windows10-2004-x64

10

231121-14-...29.exe

windows7-x64

10

231121-14-...29.exe

windows10-2004-x64

10

231121-15-...f4.exe

windows7-x64

3

231121-15-...f4.exe

windows10-2004-x64

10

231121-16-...00.exe

windows7-x64

10

231121-16-...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2023 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    231121-01-AgentTesla-4f4bd4.exe

  • Size

    890KB

  • MD5

    73af2b313925da0e49f1c99e1b51ec4b

  • SHA1

    4f4bd4f230b2d2bc6f140d38f8c301a3264747a0

  • SHA256

    bf91852588010cca4ca8aa2f419531df69a6e5454f471ebb2e862c17b99e5724

  • SHA512

    1c7ab9854266a275376ce0134d356702749f6ce8168fee0301c8140867d30384c4f5521c1212c71aba2eea0cee3600bbe9bd6311ac721219acb52c46b1c3c6f7

  • SSDEEP

    24576:ve4ucqeAete6Fnj5k359f5fHi/dkGxris1q:3ucN3Fnjw53exel

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\231121-01-AgentTesla-4f4bd4.exe
    "C:\Users\Admin\AppData\Local\Temp\231121-01-AgentTesla-4f4bd4.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1940
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\231121-01-AgentTesla-4f4bd4.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2616
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yoLxZmTZYPo.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2768
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yoLxZmTZYPo" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEEA.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2520
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpDEEA.tmp
    Filesize

    1KB

    MD5

    ed547489b3daa1b4e763c0a18b9c6b98

    SHA1

    c76ebe7189bc57c8e4443845f7b30a037c706f8d

    SHA256

    eb01cfc57852505da77fa35047016191e66f816d29096d20c9ec444e6af59696

    SHA512

    29b97c07715da11dc4b67ffdd513e4e935ee0503ac6a396bfe8f37ab3788476dfa57c6677680ae8c12837fdb31c5548b45dd16f0d03f4d15b594c3f5c51321a1

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\882972XF2KKG31B3RTXZ.temp
    Filesize

    7KB

    MD5

    9b58a00a41b796a34983198b9d624c33

    SHA1

    0ea345e0dbc5ad1be011d08d454577ddd16e594b

    SHA256

    05f3137131cde578001007afc540f7520a77420ba06e87c5c2dc91344952f872

    SHA512

    22047b0a8a7ca05d1ea283b0c905552e0eb0c2fbf5ddeece24748d83852e80a801b16dfe9dcfdb9aeaec56c0884a49f07cc6c6a492b32ade977c1b8f47e6f6ca

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    9b58a00a41b796a34983198b9d624c33

    SHA1

    0ea345e0dbc5ad1be011d08d454577ddd16e594b

    SHA256

    05f3137131cde578001007afc540f7520a77420ba06e87c5c2dc91344952f872

    SHA512

    22047b0a8a7ca05d1ea283b0c905552e0eb0c2fbf5ddeece24748d83852e80a801b16dfe9dcfdb9aeaec56c0884a49f07cc6c6a492b32ade977c1b8f47e6f6ca

    Download Submit

  • memory/1940-32-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1940-1-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1940-5-0x00000000004D0000-0x00000000004DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1940-6-0x0000000004E00000-0x0000000004E7A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/1940-7-0x0000000074190000-0x000000007487E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1940-3-0x00000000004B0000-0x00000000004C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1940-2-0x0000000000460000-0x00000000004A0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1940-0-0x00000000010F0000-0x00000000011D4000-memory.dmp

    Filesize

    912KB

    Download

  • memory/1940-4-0x00000000004C0000-0x00000000004C8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2616-21-0x000000006ECC0000-0x000000006F26B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2616-38-0x000000006ECC0000-0x000000006F26B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-22-0x0000000002720000-0x0000000002760000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2768-23-0x000000006ECC0000-0x000000006F26B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-39-0x000000006ECC0000-0x000000006F26B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2768-20-0x000000006ECC0000-0x000000006F26B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2976-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-33-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-35-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-36-0x0000000072E70000-0x000000007355E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2976-37-0x00000000012C0000-0x0000000001300000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2976-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-24-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2976-40-0x0000000072E70000-0x000000007355E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2976-41-0x00000000012C0000-0x0000000001300000-memory.dmp

    Filesize

    256KB

    Download