Overview

overview

10

Static

static

3

DHLPAYMENT...62.exe

windows7-x64

10

DHLPAYMENT...62.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    22s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DHLPAYMENTREQUIRED1003671162.exe

  • Size

    904KB

  • MD5

    b665055897fc3b8a557568abc0d1df34

  • SHA1

    e73d473568ddf632d898f286967d26e75b298f3d

  • SHA256

    dca9d727db76dbb43b69e5ea1911861bfdc0aa9e13b954da78bcf2a36a92a9b3

  • SHA512

    abba46a3db77a20fce957d7d684b17bb75be5aabd3281b36ae9b639ec3df76c38ce9c1e5b2bae9c3f5a87026d3596fa3ce5e46cda2aeb1f3c72db77a886fd488

  • SSDEEP

    12288:ahl5nF8/VdqrlbjGIHcSY8/TJGxE05hCr0Dr6zz/rTWrRREeeM5QlaBNdoP7r9ry:0l+qhbjGn+/1Ga05BDm3rYRR+so1q

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DHLPAYMENTREQUIRED1003671162.exe
    "C:\Users\Admin\AppData\Local\Temp\DHLPAYMENTREQUIRED1003671162.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2096
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DHLPAYMENTREQUIRED1003671162.exe"
      2⤵
        PID:2020
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hjaFQBlmQBGbJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF96C.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:2908
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hjaFQBlmQBGbJ.exe"
        2⤵
          PID:2572
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          2⤵
            PID:2636

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmpF96C.tmp
          Filesize

          1KB

          MD5

          bc89002b2ec467e3a03b153371f6ff45

          SHA1

          ca98c4674df373b85b44382de9bf3cd71d6bd283

          SHA256

          3d7d5d1a75dd820a050cb4aaf8b8d1ad559a08dec8d389b2061e60796b17204c

          SHA512

          061e845337aade12f3384b15ca61800d1fe241d2f2ab12426e44c12c2dbfc2bfbb2ca2d335bdd4af59d30da5e13e47abd2cc2841bbbcf42b23c5e418fbe3c20e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MKT9RDWHAGYPTC2LDICM.temp
          Filesize

          7KB

          MD5

          813feb1a53ce45574fcd49f31b687859

          SHA1

          894588c2a8d859766603c56b0c60f6800d2204da

          SHA256

          3fc8345fbf1b2766fc627ab36425feb43fab6dc268990cdfdcd56141056fe353

          SHA512

          e61f42997dda8d8c823bad7b7390172bd538c8174ce64881e2b494e78579a45e9b5374a3ddb28bd8f0defb72177f911d8a56c7320aa8d1aeecd219f5255370f0

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          813feb1a53ce45574fcd49f31b687859

          SHA1

          894588c2a8d859766603c56b0c60f6800d2204da

          SHA256

          3fc8345fbf1b2766fc627ab36425feb43fab6dc268990cdfdcd56141056fe353

          SHA512

          e61f42997dda8d8c823bad7b7390172bd538c8174ce64881e2b494e78579a45e9b5374a3ddb28bd8f0defb72177f911d8a56c7320aa8d1aeecd219f5255370f0

          Download Submit

        • memory/2020-38-0x0000000002860000-0x00000000028A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2020-30-0x000000006ECE0000-0x000000006F28B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2020-37-0x0000000002860000-0x00000000028A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2020-25-0x000000006ECE0000-0x000000006F28B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2020-45-0x000000006ECE0000-0x000000006F28B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2096-6-0x0000000005330000-0x00000000053AC000-memory.dmp

          Filesize

          496KB

          Download

        • memory/2096-3-0x0000000000640000-0x0000000000658000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2096-19-0x0000000074190000-0x000000007487E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2096-20-0x0000000000600000-0x0000000000640000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2096-1-0x0000000074190000-0x000000007487E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2096-2-0x0000000000600000-0x0000000000640000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2096-5-0x0000000000660000-0x000000000066A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2096-4-0x0000000000530000-0x0000000000538000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2096-0-0x0000000000330000-0x0000000000418000-memory.dmp

          Filesize

          928KB

          Download

        • memory/2096-41-0x0000000074190000-0x000000007487E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2572-27-0x0000000002630000-0x0000000002670000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2572-22-0x000000006ECE0000-0x000000006F28B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2572-46-0x000000006ECE0000-0x000000006F28B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2572-42-0x0000000002630000-0x0000000002670000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2572-33-0x000000006ECE0000-0x000000006F28B000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2572-35-0x0000000002630000-0x0000000002670000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2636-28-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2636-39-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2636-43-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2636-34-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2636-44-0x0000000074190000-0x000000007487E000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2636-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2636-29-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2636-24-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2636-21-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2636-47-0x0000000074190000-0x000000007487E000-memory.dmp

          Filesize

          6.9MB

          Download