Overview

overview

10

Static

static

3

Inquiry.exe

windows7-x64

10

Inquiry.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2023 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Inquiry.exe

  • Size

    719KB

  • MD5

    c0358fee59172c24e5695593392135e0

  • SHA1

    5b7a3dac90e3014de6eec3ac9e96c9534918bfc1

  • SHA256

    cab0d981559ec627b28ba927840774c66ccba4c7cea401d748ac398f0ab39c85

  • SHA512

    a2a7ff42f8294e83babc69d13532fc4fd6653ca084e32d1a9bb6c6da759c13a5ac782bd2a9802809756f703ce6de02582392bdef088c48df466ebeba403ab0a1

  • SSDEEP

    12288:aD+dIbgzk6wM4i0ID2Fld+lwrzS8dRm9LSuvnUA78WxKNQbCxOKL:aD+H4XMb0Pz3nS8oSuvUm8WxtbCx7

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Inquiry.exe
    "C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Users\Admin\AppData\Local\Temp\Inquiry.exe
      "C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1336

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1336-14-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1336-25-0x0000000000720000-0x0000000000760000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1336-24-0x00000000748E0000-0x0000000074FCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1336-21-0x0000000000720000-0x0000000000760000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1336-20-0x00000000748E0000-0x0000000074FCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1336-18-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1336-16-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1336-7-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1336-8-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1336-9-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1336-10-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1336-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2268-5-0x0000000000510000-0x000000000051A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2268-6-0x0000000005C90000-0x0000000005D0C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/2268-0-0x00000000013E0000-0x000000000149A000-memory.dmp

    Filesize

    744KB

    Download

  • memory/2268-19-0x00000000748E0000-0x0000000074FCE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2268-4-0x0000000000500000-0x0000000000508000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2268-3-0x00000000004E0000-0x00000000004F6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2268-2-0x0000000004CC0000-0x0000000004D00000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2268-1-0x00000000748E0000-0x0000000074FCE000-memory.dmp

    Filesize

    6.9MB

    Download