Overview

overview

10

Static

static

3

POORD20231109001.exe

windows7-x64

10

POORD20231109001.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    23/11/2023, 01:51

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    POORD20231109001.exe

  • Size

    809KB

  • MD5

    5c4180b748b40a11611cbac14d4827d6

  • SHA1

    fd005cac55e3b1fe44e2b88fcf124a0b1dfb0286

  • SHA256

    d059a3bb4ddac726db29101656b244b8bf425a3e1c638bbe51e8765c7d66c86b

  • SHA512

    e588733cea468c6c501757ce517ce3d5893da77591708a612c4a2bdc8fa257d60cb6f06d08dceecec8bc0b8b534bbb4ba6cd10fa4c762e3c5adff6f85852edf3

  • SSDEEP

    12288:28orMbmZeadAZYMTT1M3kTOSvQKGd5ypP7r9r/+pppppppppppppppppppppppp1:BeMbmZea2ZYK1ASvf1q

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\POORD20231109001.exe
    "C:\Users\Admin\AppData\Local\Temp\POORD20231109001.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:304
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\POORD20231109001.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2536
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\HrAADtCmIIam.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2700
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HrAADtCmIIam" /XML "C:\Users\Admin\AppData\Local\Temp\tmp435.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2668
    • C:\Users\Admin\AppData\Local\Temp\POORD20231109001.exe
      "C:\Users\Admin\AppData\Local\Temp\POORD20231109001.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2124

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp435.tmp
          Filesize

          1KB

          MD5

          93a119ce6bd542b184fe7e2684163fcc

          SHA1

          06de5381a2987493478d23b42969eb131952e944

          SHA256

          a809077a09689a432f6b8980bf5f16b733b4598cb82c45f63d62cfcffcabcf64

          SHA512

          9291e003f195aab837011912a25bf106823e3fa19c8be2928feab9dc130325ab1e79ff3f87a79b15ac2947b427ea7c4a23df20caeb20e4e51693e7f14055f0f6

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DZC14GHEF9E8YSP5PNZA.temp
          Filesize

          7KB

          MD5

          1205db6b3286778a5e2bc8e94f1a6c96

          SHA1

          06e15ead17b2849258b8e3e0e1ce53a03b1c0c34

          SHA256

          75e10f48531aa3aa8e4fb56cc0c3ac94f72abd1102af69a8a8340a0c9d5e03d1

          SHA512

          041ebb20bd7f86859e950fb856f09920b049da49f90b6bb11ed75735ebba772e7e4db4b328db44a4541e4e8475ef895669d3f818c7727092c5570bf9d2353c81

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          1205db6b3286778a5e2bc8e94f1a6c96

          SHA1

          06e15ead17b2849258b8e3e0e1ce53a03b1c0c34

          SHA256

          75e10f48531aa3aa8e4fb56cc0c3ac94f72abd1102af69a8a8340a0c9d5e03d1

          SHA512

          041ebb20bd7f86859e950fb856f09920b049da49f90b6bb11ed75735ebba772e7e4db4b328db44a4541e4e8475ef895669d3f818c7727092c5570bf9d2353c81

          Download Submit

        • memory/304-3-0x00000000005E0000-0x00000000005F2000-memory.dmp

          Filesize

          72KB

          Download

        • memory/304-4-0x0000000000730000-0x0000000000738000-memory.dmp

          Filesize

          32KB

          Download

        • memory/304-5-0x00000000007C0000-0x00000000007CA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/304-6-0x0000000004360000-0x00000000043DA000-memory.dmp

          Filesize

          488KB

          Download

        • memory/304-7-0x0000000073CB0000-0x000000007439E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/304-8-0x0000000000590000-0x00000000005D0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/304-0-0x0000000000030000-0x0000000000100000-memory.dmp

          Filesize

          832KB

          Download

        • memory/304-30-0x0000000073CB0000-0x000000007439E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/304-2-0x0000000000590000-0x00000000005D0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/304-1-0x0000000073CB0000-0x000000007439E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2124-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2124-33-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2124-25-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2124-23-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2124-28-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2124-16-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2124-31-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2124-40-0x0000000072C70000-0x000000007335E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2124-44-0x0000000072C70000-0x000000007335E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2124-24-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2124-45-0x0000000004A10000-0x0000000004A50000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2536-37-0x000000006DA20000-0x000000006DFCB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2536-38-0x0000000002710000-0x0000000002750000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2536-34-0x000000006DA20000-0x000000006DFCB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2536-43-0x000000006DA20000-0x000000006DFCB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2700-35-0x000000006DA20000-0x000000006DFCB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2700-41-0x0000000002700000-0x0000000002740000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2700-42-0x000000006DA20000-0x000000006DFCB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2700-39-0x0000000002700000-0x0000000002740000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2700-36-0x000000006DA20000-0x000000006DFCB000-memory.dmp

          Filesize

          5.7MB

          Download