Overview

overview

10

Static

static

3

6a1ef6c9c4...76.exe

windows7-x64

10

6a1ef6c9c4...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2023 02:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe

  • Size

    676KB

  • MD5

    86c92625a06644590f8f93f6aa5669db

  • SHA1

    eceab13ad2b687af069dd80a60f714dd345d019c

  • SHA256

    6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876

  • SHA512

    2f04e694216d52ee2ccab165067d14641993d1fc770736d8a813e8cdff82729e1eefc5e8945b6dfd65e9166ba227139b1c35c3742e3e56bcdd5f4392e3a5957d

  • SSDEEP

    12288:4v26JAeIIn3gXWRadHKP5jaLEPkyndhv0x5blcAciPGK:G26JA4MW+KP5jaLEHndhvY53DG

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe
    "C:\Users\Admin\AppData\Local\Temp\6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2016
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a1ef6c9c4a269735ad4093d064dd1c673c32bd24ebdcb8dd01c80d9e9e24876.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\dUtDhaePto.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2776
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\dUtDhaePto" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB1D2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2760
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2188

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpB1D2.tmp
    Filesize

    1KB

    MD5

    fcafc6e3a9a9e5bdac87462b7abdbe89

    SHA1

    64ce456a3995b186a40189a7a4d6e5abe952580f

    SHA256

    f6373fe3521cf8ba78f37876e2d2c6ddc22358e6df98dfab7011ef076a28b1a8

    SHA512

    08e58a18b95861727fec9558fba8e8755330f782d0c1c6077bed72984396d7380cd65f658f05933fd9246d84f7c4c02e67dbc65f807a37425966171d4583430a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\PXNMLY0HZWQW6159IH6S.temp
    Filesize

    7KB

    MD5

    b674d069ca8d20d918838c0aa257e9dd

    SHA1

    db8264dcf9457049b5081919759cc43bedd5f2e0

    SHA256

    af1623f1991aafd4f0fd129eb7a92f42a75a8eec90bbf9ac12f8b2a26ccea0bb

    SHA512

    a76d078dcd560be4928128a764e51d47999a94eaed5f71e9c47f6ec86a976f27b9ff033b67228e77cce5a8873f9392833131ddc2209d2f4887fb4f9b498a19d2

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    b674d069ca8d20d918838c0aa257e9dd

    SHA1

    db8264dcf9457049b5081919759cc43bedd5f2e0

    SHA256

    af1623f1991aafd4f0fd129eb7a92f42a75a8eec90bbf9ac12f8b2a26ccea0bb

    SHA512

    a76d078dcd560be4928128a764e51d47999a94eaed5f71e9c47f6ec86a976f27b9ff033b67228e77cce5a8873f9392833131ddc2209d2f4887fb4f9b498a19d2

    Download Submit

  • memory/2016-3-0x0000000000200000-0x0000000000216000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2016-4-0x0000000000230000-0x0000000000238000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2016-5-0x0000000000240000-0x000000000024A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2016-6-0x0000000004FF0000-0x000000000506A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2016-24-0x0000000004CF0000-0x0000000004D30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2016-2-0x0000000004CF0000-0x0000000004D30000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2016-1-0x00000000744F0000-0x0000000074BDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2016-19-0x00000000744F0000-0x0000000074BDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2016-39-0x00000000744F0000-0x0000000074BDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2016-0-0x00000000011C0000-0x000000000126E000-memory.dmp

    Filesize

    696KB

    Download

  • memory/2188-38-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2188-34-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2188-45-0x0000000004AE0000-0x0000000004B20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2188-44-0x00000000744F0000-0x0000000074BDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2188-26-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2188-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2188-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2188-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2188-32-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2188-41-0x0000000004AE0000-0x0000000004B20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2188-36-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2188-40-0x00000000744F0000-0x0000000074BDE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2668-21-0x000000006F100000-0x000000006F6AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2668-43-0x000000006F100000-0x000000006F6AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2776-20-0x000000006F100000-0x000000006F6AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2776-22-0x000000006F100000-0x000000006F6AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2776-42-0x000000006F100000-0x000000006F6AB000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2776-25-0x00000000028C0000-0x0000000002900000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2776-23-0x00000000028C0000-0x0000000002900000-memory.dmp

    Filesize

    256KB

    Download