Overview

overview

10

Static

static

3

B3.exe

windows7-x64

10

B3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    23s
  • max time network
    172s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-12-2023 16:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    B3.exe

  • Size

    686KB

  • MD5

    dec40a2b97404b644f142979f8b7107a

  • SHA1

    45fa65b15e2f206ea917cc1877365e7fcba39731

  • SHA256

    9ee7811e79cf1f1f76aadb17175227bf172b21ed84a54a53ef98a1f4695f75ba

  • SHA512

    9c33d35ead9764e26a4499d88a5dcba7795205e715ca8b739b1dd4b9b071e777f2713d8bec17fe0c52e03e51952c90e2154e35d5b49d6f7b03a2b8b5341b7acb

  • SSDEEP

    12288:Cn/7eVSw4/eC9J4j/Nw3ghMM7s16pqOO9fzClLg6acbV1E7lrtWYOQmbCp:Cn/yVk/eYSj1IghBpqb1zq3Pbgx

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\B3.exe
    "C:\Users\Admin\AppData\Local\Temp\B3.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3824
    • C:\Users\Admin\AppData\Local\Temp\B3.exe
      "C:\Users\Admin\AppData\Local\Temp\B3.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1836

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\B3.exe.log
    Filesize

    1KB

    MD5

    b7b9acb869ccc7f7ecb5304ec0384dee

    SHA1

    6a90751c95817903ee833d59a0abbef425a613b3

    SHA256

    8cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4

    SHA512

    7bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764

    Download Submit

  • memory/1836-12-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1836-21-0x0000000004F30000-0x0000000004F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1836-20-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1836-19-0x0000000005C80000-0x0000000005CD0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1836-17-0x0000000004F30000-0x0000000004F40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1836-18-0x0000000005040000-0x00000000050A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1836-16-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3824-5-0x00000000051B0000-0x00000000051C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3824-9-0x0000000002BD0000-0x0000000002BDA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3824-10-0x0000000006B30000-0x0000000006BAA000-memory.dmp

    Filesize

    488KB

    Download

  • memory/3824-11-0x000000000A340000-0x000000000A3DC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3824-8-0x0000000009290000-0x0000000009298000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3824-7-0x0000000006050000-0x000000000606A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3824-15-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3824-6-0x0000000005770000-0x000000000577A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3824-0-0x0000000000790000-0x0000000000842000-memory.dmp

    Filesize

    712KB

    Download

  • memory/3824-4-0x00000000052E0000-0x0000000005634000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3824-3-0x0000000005240000-0x00000000052D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3824-2-0x00000000057F0000-0x0000000005D94000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3824-1-0x0000000074540000-0x0000000074CF0000-memory.dmp

    Filesize

    7.7MB

    Download