Overview

overview

10

Static

static

3

tmp.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    107s
  • max time network
    90s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231128-en
  • resource tags

    arch:x64arch:x86image:win11-20231128-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-12-2023 02:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    644KB

  • MD5

    219492f049fb6d224dc912fb1de2d515

  • SHA1

    ecfbfb5a6714032f4c811601bf8146c1f580b58f

  • SHA256

    6d3e0f4b400eeb388c288d1151c5051224f99497a522424f60d9cdcc63157cab

  • SHA512

    7f7cf112ff91e0634728a42937051326c5810ef1fbf1b3b9e8a6847b9f34f2ebdb765e046ee4b61f6d286e75ada5cfd4db45eb876e2eb61e8ca9309844ee2878

  • SSDEEP

    12288:8K361h61EWGqLia/AsN3xoiFyit3+hBSEvowv409EVjbEQ8q61:8vY7GUiasSnt3qBSE1ejbEQ8v

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 2 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4688
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
        PID:2412
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3144
    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4744
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4824
      • C:\Users\Admin\Desktop\tmp.exe
        "C:\Users\Admin\Desktop\tmp.exe"
        1⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Users\Admin\Desktop\tmp.exe
          "C:\Users\Admin\Desktop\tmp.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2268

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\tmp.exe.log
        Filesize

        1KB

        MD5

        2de4f487458ea21fe096352cd17cc6e5

        SHA1

        80abf2ba958dc9c4594a02a903d9f4021f6a9bcb

        SHA256

        80ceff0f78098a7cb4f64e19ff26ac298a3664a82c59dfb117aa81a5505aeb2e

        SHA512

        f1bab93dce713a9d3c833da82f74ce796619e0565099ccb5f52a89042f49dad32e2c0a58ff92c8e30598c4d13e55e51d897a39b64a480c9381161612d274d842

        Download Submit

      • memory/1316-23-0x0000000075110000-0x00000000758C1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/1316-21-0x0000000005300000-0x0000000005310000-memory.dmp

        Filesize

        64KB

        Download

      • memory/1316-20-0x0000000075110000-0x00000000758C1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2268-28-0x0000000005A90000-0x0000000005AA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2268-27-0x0000000075110000-0x00000000758C1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2268-25-0x0000000005A90000-0x0000000005AA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2268-24-0x0000000075110000-0x00000000758C1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3144-19-0x0000000075110000-0x00000000758C1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3144-16-0x0000000075110000-0x00000000758C1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3144-26-0x0000000075110000-0x00000000758C1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3144-18-0x0000000006240000-0x0000000006290000-memory.dmp

        Filesize

        320KB

        Download

      • memory/3144-12-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/3144-17-0x00000000053B0000-0x00000000053C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4688-8-0x00000000069C0000-0x00000000069C8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/4688-15-0x0000000075110000-0x00000000758C1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4688-9-0x00000000069D0000-0x00000000069DA000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4688-11-0x0000000009550000-0x00000000095EC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4688-0-0x0000000075110000-0x00000000758C1000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4688-7-0x00000000083A0000-0x00000000083B0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4688-6-0x0000000005660000-0x000000000566A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4688-5-0x00000000053B0000-0x00000000053C0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4688-4-0x0000000005210000-0x0000000005276000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4688-3-0x0000000005170000-0x0000000005202000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4688-10-0x0000000006A70000-0x0000000006AEA000-memory.dmp

        Filesize

        488KB

        Download

      • memory/4688-2-0x0000000005680000-0x0000000005C26000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4688-1-0x00000000005D0000-0x0000000000678000-memory.dmp

        Filesize

        672KB

        Download