Overview

overview

10

Static

static

3

Hesap_Hare...DF.exe

windows7-x64

10

Hesap_Hare...DF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    154s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231023-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2023 10:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Hesap_Hareketleri_SUN_BAGLANTI_ELEMANLARI_PRES_METMAKSANVE_TICLTDSTI_20231124_84014609_PDF.exe

  • Size

    734KB

  • MD5

    d61b690733c8834cef392ee38bf77342

  • SHA1

    a3dd3c0fc1932050e15de9544a0593a817148ee3

  • SHA256

    785d3f4b8cc802894eeb0a3194edb03f8bb4841ba2d5f81d762cb99e0644c723

  • SHA512

    4b64f61eef59ca0f6ccc6d2898ac8df51046730bea6cf6e593c0386ed2a5555130389d678f84b430cb5b5069e07b4ecf0b3f37d9d40cd7ca521182e9e3293ba7

  • SSDEEP

    12288:2E6jD/Coy0An5iqQljv9KgHToOphLQXpjb5U/r5WyA52PUMVZpz1vfyUXLr7llZ5:2tD/7y0AwqQlz/H3hMXp35U/DA52seDf

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.rolexlogisticsservice.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    2u]jWuxLcbdA

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_SUN_BAGLANTI_ELEMANLARI_PRES_METMAKSANVE_TICLTDSTI_20231124_84014609_PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_SUN_BAGLANTI_ELEMANLARI_PRES_METMAKSANVE_TICLTDSTI_20231124_84014609_PDF.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4944
    • C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_SUN_BAGLANTI_ELEMANLARI_PRES_METMAKSANVE_TICLTDSTI_20231124_84014609_PDF.exe
      "C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_SUN_BAGLANTI_ELEMANLARI_PRES_METMAKSANVE_TICLTDSTI_20231124_84014609_PDF.exe"
      2⤵
        PID:4752
      • C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_SUN_BAGLANTI_ELEMANLARI_PRES_METMAKSANVE_TICLTDSTI_20231124_84014609_PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\Hesap_Hareketleri_SUN_BAGLANTI_ELEMANLARI_PRES_METMAKSANVE_TICLTDSTI_20231124_84014609_PDF.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4828

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/4828-13-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/4828-21-0x00000000051A0000-0x00000000051B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4828-20-0x0000000075250000-0x0000000075A00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4828-19-0x00000000066A0000-0x00000000066F0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4828-18-0x0000000004FE0000-0x0000000005046000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4828-16-0x00000000051A0000-0x00000000051B0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4828-15-0x0000000075250000-0x0000000075A00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4944-5-0x0000000005040000-0x000000000504A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4944-6-0x0000000005310000-0x0000000005328000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4944-9-0x0000000005490000-0x000000000549A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4944-10-0x000000000BE80000-0x000000000BEFA000-memory.dmp

      Filesize

      488KB

      Download

    • memory/4944-11-0x000000000F510000-0x000000000F5AC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4944-12-0x00000000050F0000-0x0000000005100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4944-7-0x0000000005480000-0x0000000005486000-memory.dmp

      Filesize

      24KB

      Download

    • memory/4944-8-0x0000000075250000-0x0000000075A00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4944-0-0x0000000075250000-0x0000000075A00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4944-17-0x0000000075250000-0x0000000075A00000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4944-4-0x00000000050F0000-0x0000000005100000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4944-3-0x0000000004F90000-0x0000000005022000-memory.dmp

      Filesize

      584KB

      Download

    • memory/4944-2-0x00000000054A0000-0x0000000005A44000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/4944-1-0x00000000004E0000-0x000000000059E000-memory.dmp

      Filesize

      760KB

      Download