Overview

overview

10

Static

static

3

SOB_BK23-0...25.exe

windows7-x64

10

SOB_BK23-0...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    27/11/2023, 02:35

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    SOB_BK23-003618_25.exe

  • Size

    1.1MB

  • MD5

    d47b077c6e9d55de441f237619819584

  • SHA1

    f718cf7a182e1fa8c094431f3d19a86cbd76ddf5

  • SHA256

    5f934b9c66294466761558a608c02f2d3f73dc5a05a63bb52a5e0e1b0a9a173a

  • SHA512

    ffd8dbdced84ad651b2a6cb59efa76e1c21786853766ae53308bafd302a9dc0010ccff6824a476dcc0e0456258ab17dcccc7527ee32b2bd0035f8c4967f14898

  • SSDEEP

    24576:M1dUGCFhfFpw+0hJMaFzbX/u8i5+j/uALxsFtD/:MMLFhfv50h9dbX/25+jDLW3

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SOB_BK23-003618_25.exe
    "C:\Users\Admin\AppData\Local\Temp\SOB_BK23-003618_25.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SOB_BK23-003618_25.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2752
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\LUWmYRSdzG.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2680
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\LUWmYRSdzG" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA89E.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2768
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2708

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpA89E.tmp
          Filesize

          1KB

          MD5

          8cdc4e52a62b7ba0c7fa486bf8deda3a

          SHA1

          19fb757365e2346f1fd45b66ae2204beb753c905

          SHA256

          7fdb6818f41fc9e1855af59ba7da15db7e1c1493f68ccfc2df36df51320fc648

          SHA512

          5ec23d802b9ec59fb81db457cd7a9edc3ec4d3ce374ac8dfff1d467d398321bd4d23d7156cfac2102041cb7a8b7f22a22b5e53131010df7e52ebd24f3eda9027

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F6HXTP6NYZBLSAD4RQMH.temp
          Filesize

          7KB

          MD5

          2b747f5a93e94de43e0eb119dc8c9528

          SHA1

          d687f9c38216764dabbfc46c9f101619e960f4a3

          SHA256

          5317d2f0aca0face6efea9a5a4e9e82b221490237aa73e2bb87dfbc70f618cbd

          SHA512

          8f054c02fe208a410495aed388f032f5b3db7b4c25dd99319a4a3d471cfecd83b6057f1344490d1c7908be88522355932cf15af4b1671dee39e2fc2ddcda64ed

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          2b747f5a93e94de43e0eb119dc8c9528

          SHA1

          d687f9c38216764dabbfc46c9f101619e960f4a3

          SHA256

          5317d2f0aca0face6efea9a5a4e9e82b221490237aa73e2bb87dfbc70f618cbd

          SHA512

          8f054c02fe208a410495aed388f032f5b3db7b4c25dd99319a4a3d471cfecd83b6057f1344490d1c7908be88522355932cf15af4b1671dee39e2fc2ddcda64ed

          Download Submit

        • memory/1744-3-0x0000000000380000-0x0000000000398000-memory.dmp

          Filesize

          96KB

          Download

        • memory/1744-4-0x00000000003A0000-0x00000000003A6000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1744-5-0x00000000004E0000-0x00000000004EA000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1744-6-0x0000000005BD0000-0x0000000005C80000-memory.dmp

          Filesize

          704KB

          Download

        • memory/1744-7-0x0000000074930000-0x000000007501E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1744-35-0x0000000074930000-0x000000007501E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1744-2-0x0000000000520000-0x0000000000560000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1744-1-0x0000000074930000-0x000000007501E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1744-20-0x0000000000520000-0x0000000000560000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1744-0-0x00000000003B0000-0x00000000004D6000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2680-37-0x000000006E720000-0x000000006ECCB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2680-39-0x000000006E720000-0x000000006ECCB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2680-44-0x000000006E720000-0x000000006ECCB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2680-42-0x0000000002370000-0x00000000023B0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2680-41-0x0000000002370000-0x00000000023B0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2708-33-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2708-23-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2708-36-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2708-21-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2708-25-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2708-31-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2708-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2708-43-0x0000000073950000-0x000000007403E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2708-27-0x0000000000400000-0x0000000000476000-memory.dmp

          Filesize

          472KB

          Download

        • memory/2708-47-0x0000000073950000-0x000000007403E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2752-38-0x000000006E720000-0x000000006ECCB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2752-40-0x0000000002260000-0x00000000022A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2752-45-0x000000006E720000-0x000000006ECCB000-memory.dmp

          Filesize

          5.7MB

          Download