Overview

overview

10

Static

static

10

231121-01-...d4.exe

windows7-x64

10

231121-01-...d4.exe

windows10-2004-x64

10

231121-02-...4c.exe

windows7-x64

10

231121-02-...4c.exe

windows10-2004-x64

10

231121-03-...94.exe

windows7-x64

10

231121-03-...94.exe

windows10-2004-x64

10

231121-04-...05.exe

windows7-x64

10

231121-04-...05.exe

windows10-2004-x64

10

231121-05-...29.exe

windows7-x64

10

231121-05-...29.exe

windows10-2004-x64

10

231121-06-...a6.exe

windows7-x64

10

231121-06-...a6.exe

windows10-2004-x64

10

231121-07-...6a.exe

windows7-x64

10

231121-07-...6a.exe

windows10-2004-x64

10

231121-08-...84.exe

windows7-x64

10

231121-08-...84.exe

windows10-2004-x64

10

231121-09-...c4.exe

windows7-x64

10

231121-09-...c4.exe

windows10-2004-x64

10

231121-10-...ec.exe

windows7-x64

10

231121-10-...ec.exe

windows10-2004-x64

10

231121-11-...bc.exe

windows7-x64

10

231121-11-...bc.exe

windows10-2004-x64

10

231121-12-...1d.exe

windows7-x64

10

231121-12-...1d.exe

windows10-2004-x64

10

231121-13-...5e.exe

windows7-x64

10

231121-13-...5e.exe

windows10-2004-x64

10

231121-14-...29.exe

windows7-x64

10

231121-14-...29.exe

windows10-2004-x64

10

231121-15-...f4.exe

windows7-x64

3

231121-15-...f4.exe

windows10-2004-x64

10

231121-16-...00.exe

windows7-x64

10

231121-16-...00.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2023 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    231121-04-AgentTesla-41c205.exe

  • Size

    682KB

  • MD5

    e1170fe494e6a857b4423a366207b811

  • SHA1

    41c205dee65f1e2171919a1e1811d63f28ca1fa7

  • SHA256

    147030ad2b34a1be1d22bf564cae6d2a858c37d9237d97e28050bf32dc8c5a40

  • SHA512

    73165b97bb059da3cebac54ce1659dd13d21e7021aca5d32850bad91b85e47f802099b0e9bdc7665aa8eb16c776cfdba6d88867ed30ff6c5abc59e6e190d47a1

  • SSDEEP

    12288:EeQXucvCeAeQseQKPJkSCzG8d7hq0vwS3RmF6qc96zXFSjwuaQzpccW0S2kZwh:Ee4ucqeAete9JkVzGC7hvvP3+6v9KXsM

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\231121-04-AgentTesla-41c205.exe
    "C:\Users\Admin\AppData\Local\Temp\231121-04-AgentTesla-41c205.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wztCfj.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2312
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wztCfj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2332
    • C:\Users\Admin\AppData\Local\Temp\231121-04-AgentTesla-41c205.exe
      "C:\Users\Admin\AppData\Local\Temp\231121-04-AgentTesla-41c205.exe"
      2⤵
        PID:2688
      • C:\Users\Admin\AppData\Local\Temp\231121-04-AgentTesla-41c205.exe
        "C:\Users\Admin\AppData\Local\Temp\231121-04-AgentTesla-41c205.exe"
        2⤵
          PID:2788
        • C:\Users\Admin\AppData\Local\Temp\231121-04-AgentTesla-41c205.exe
          "C:\Users\Admin\AppData\Local\Temp\231121-04-AgentTesla-41c205.exe"
          2⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2824

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp80C4.tmp
        Filesize

        1KB

        MD5

        1bdec2d5e6de42a622025079c8b5bf3c

        SHA1

        3a4d8edcaf84d2f50ec0a6e0ead6e3552be768fe

        SHA256

        7febafabe034c5971dd4cdaeb6ea5197295022f1a24702be4009947a9e4121ae

        SHA512

        f60e49fa24ac2448c9e215b1ba27a6a5fb8345d99ccb7bff7de46e966df455d64ee642d57cff8da10904f13b74696c52c3d43b419e09b687fa07893140bfdb5b

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Micosoft Excel 2023\Micosoft Excel 2023.exe
        Filesize

        682KB

        MD5

        e1170fe494e6a857b4423a366207b811

        SHA1

        41c205dee65f1e2171919a1e1811d63f28ca1fa7

        SHA256

        147030ad2b34a1be1d22bf564cae6d2a858c37d9237d97e28050bf32dc8c5a40

        SHA512

        73165b97bb059da3cebac54ce1659dd13d21e7021aca5d32850bad91b85e47f802099b0e9bdc7665aa8eb16c776cfdba6d88867ed30ff6c5abc59e6e190d47a1

        Download Submit

      • memory/2032-3-0x00000000003C0000-0x00000000003D0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2032-4-0x00000000004F0000-0x00000000004F8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2032-5-0x0000000000500000-0x000000000050A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2032-6-0x0000000004C60000-0x0000000004CDC000-memory.dmp

        Filesize

        496KB

        Download

      • memory/2032-2-0x0000000004D00000-0x0000000004D40000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2032-1-0x0000000074420000-0x0000000074B0E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2032-0-0x0000000000290000-0x0000000000340000-memory.dmp

        Filesize

        704KB

        Download

      • memory/2032-23-0x0000000074420000-0x0000000074B0E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2312-26-0x000000006E8A0000-0x000000006EE4B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2312-34-0x000000006E8A0000-0x000000006EE4B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2312-31-0x0000000002460000-0x00000000024A0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2312-30-0x0000000002460000-0x00000000024A0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2312-28-0x000000006E8A0000-0x000000006EE4B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2824-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2824-25-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2824-22-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2824-27-0x0000000074420000-0x0000000074B0E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2824-20-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2824-17-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2824-29-0x0000000004C20000-0x0000000004C60000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2824-16-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2824-15-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2824-14-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/2824-35-0x0000000074420000-0x0000000074B0E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2824-36-0x0000000004C20000-0x0000000004C60000-memory.dmp

        Filesize

        256KB

        Download