Overview

overview

10

Static

static

3

Shipping D...ts.exe

windows7-x64

10

Shipping D...ts.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2023 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipping Documents.exe

  • Size

    647KB

  • MD5

    c4a1c630b0f8185f81caeee3fb378744

  • SHA1

    c57c38a18d2a349d621ab059c28f04ce68302d8c

  • SHA256

    0b445847b8750637180e5c10be73bbb758082939394c3fd1ee2a2ea08d61e83d

  • SHA512

    5470a96ebbb28efcb1959c0ff9a4a30f95f4e825de1fbe63797219465801eff6a2227baf476371c27ad8a52151cbf0060fc943a47626221959e26f01e870c34b

  • SSDEEP

    12288:pHoZzsJ5QWsnm8O1OkfZFZllfvih/IpZAEbRCk9TN0IetKjWo7lb2SGopox:KJsdsPC9ZHfvihA//bRp9xFeAjWrXe

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe
    "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2484
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\EvmuRutsny.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2096
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EvmuRutsny" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFCF.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2124
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2128

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpAFCF.tmp
    Filesize

    1KB

    MD5

    d53d188c0104b029bae3bf14c17469bc

    SHA1

    c0695e1b5644cc5291da3d304aa4cfeacdc1f154

    SHA256

    b88f6d22c40be47aabdd4e19ea4dbfee57285d3b88d4e5a86bb8134eac01729e

    SHA512

    adf8080e77a1f7032bda6854d84faa986d2a15855caf353ccd3ae6983ece24f9f9438106113edd9df727fa4c5519ff1a27f80780e6fb620b8044e631eff7c760

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XAGTP6AYDMG7Y6TMZC3M.temp
    Filesize

    7KB

    MD5

    f15f54d8d247c9bcbe97b3a3a9878d4c

    SHA1

    ed51987e3027e00eda353deba8a971a5a33be8a3

    SHA256

    1db47aba4e7cdf5dda8d1b5a71ed66bde010e40fb5fc09bb33b9c29c73c3a96c

    SHA512

    432a69c9d5b2ecfca3b243cedf6e0a7020c2c51399a217e7f8773ffcc859ec5b319dd96e2fd805e9638c341b8a8950a74d113fc8d9156506b0b68bd1b68c9cdf

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    f15f54d8d247c9bcbe97b3a3a9878d4c

    SHA1

    ed51987e3027e00eda353deba8a971a5a33be8a3

    SHA256

    1db47aba4e7cdf5dda8d1b5a71ed66bde010e40fb5fc09bb33b9c29c73c3a96c

    SHA512

    432a69c9d5b2ecfca3b243cedf6e0a7020c2c51399a217e7f8773ffcc859ec5b319dd96e2fd805e9638c341b8a8950a74d113fc8d9156506b0b68bd1b68c9cdf

    Download Submit

  • memory/2096-46-0x000000006EFF0000-0x000000006F59B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2096-44-0x00000000026E0000-0x0000000002720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2096-40-0x00000000026E0000-0x0000000002720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2096-39-0x000000006EFF0000-0x000000006F59B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2096-37-0x00000000026E0000-0x0000000002720000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2096-36-0x000000006EFF0000-0x000000006F59B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2128-31-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2128-42-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2128-49-0x0000000072E60000-0x000000007354E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2128-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2128-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2128-24-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2128-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2128-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2128-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2128-48-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2128-43-0x0000000072E60000-0x000000007354E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2128-34-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2348-1-0x0000000074160000-0x000000007484E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2348-6-0x0000000005EC0000-0x0000000005F3A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2348-5-0x0000000000530000-0x000000000053A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2348-20-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2348-4-0x00000000004B0000-0x00000000004B6000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2348-3-0x00000000004D0000-0x00000000004E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2348-0-0x0000000001040000-0x00000000010E8000-memory.dmp

    Filesize

    672KB

    Download

  • memory/2348-7-0x0000000074160000-0x000000007484E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2348-33-0x0000000074160000-0x000000007484E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2348-2-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2484-38-0x000000006EFF0000-0x000000006F59B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2484-47-0x000000006EFF0000-0x000000006F59B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2484-45-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2484-41-0x0000000002700000-0x0000000002740000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2484-35-0x000000006EFF0000-0x000000006F59B000-memory.dmp

    Filesize

    5.7MB

    Download