Overview

overview

10

Static

static

3

ProductSpe...23.exe

windows7-x64

10

ProductSpe...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ProductSpecificationDec052023.exe

  • Size

    828KB

  • MD5

    72c79ce71ca4d2529fb05f1e37341a69

  • SHA1

    aaa4e64071d39f2590d1bcb3b758c51d320ece31

  • SHA256

    a4d1c2193d3db847e5c7132074a16826beff3d069e1ba83633b8ac7bc5c88f5e

  • SHA512

    0e1f9eb942b5409bee74c4aaa3d249a87a88dc72d4aeda2cbe39cde7f428ef07b21e17c9467413826f4b599db744064acec96061dd8c5c3f1ea61f3f98618969

  • SSDEEP

    12288:anfKE6jD/62iNG5nF8+pQWMHKMuGxZcx0dZRyKuhqCqPiGIqkHmI:afKtD/61I4HKMuOcexylhqCq5IJHmI

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ProductSpecificationDec052023.exe
    "C:\Users\Admin\AppData\Local\Temp\ProductSpecificationDec052023.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1280
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ProductSpecificationDec052023.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2876
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tNgQrHLDn.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tNgQrHLDn" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9E9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2872
    • C:\Users\Admin\AppData\Local\Temp\ProductSpecificationDec052023.exe
      "C:\Users\Admin\AppData\Local\Temp\ProductSpecificationDec052023.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpF9E9.tmp
    Filesize

    1KB

    MD5

    d3f96fac71360bc4cef2ecdc6da07efa

    SHA1

    aed1e42affd5ad2d97ce9e3e948bab323cbc2c0d

    SHA256

    6d638a633685050c35176aaf70e54d65f810e2cc6ecf4835f234e65d34c39fe1

    SHA512

    8a3c51dc5c9f214d8c8f5abb3fc73f0c19d95bb4a6ebdc31cc00d351f806a1199e2ed6babe1fb57691a6bc9385edf814211ba8e7b4bd2810f8c090e935197855

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\S4XXQKO93CDRP094IRS2.temp
    Filesize

    7KB

    MD5

    4f4557f7b051638b63a2af7e65081f0a

    SHA1

    bb77ec0d89e0b44db4f66c1ff864d1cfe6f9f09b

    SHA256

    de861b300a7942d486840e23cc1fc10bfe8e483a60c6ee3c3b798b34709c076a

    SHA512

    dc3fe733e1e2cc960fcb2453c8e9b8413b3f206b31317c9585bc1733b43d7f0690536376420e9af0e3466bc6a3f4f6c1804da233d13a06281d9a73da92fee408

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    4f4557f7b051638b63a2af7e65081f0a

    SHA1

    bb77ec0d89e0b44db4f66c1ff864d1cfe6f9f09b

    SHA256

    de861b300a7942d486840e23cc1fc10bfe8e483a60c6ee3c3b798b34709c076a

    SHA512

    dc3fe733e1e2cc960fcb2453c8e9b8413b3f206b31317c9585bc1733b43d7f0690536376420e9af0e3466bc6a3f4f6c1804da233d13a06281d9a73da92fee408

    Download Submit

  • memory/1280-3-0x00000000002C0000-0x00000000002D8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1280-4-0x00000000002E0000-0x00000000002E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/1280-5-0x00000000003F0000-0x00000000003FA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1280-6-0x0000000005310000-0x000000000538C000-memory.dmp

    Filesize

    496KB

    Download

  • memory/1280-7-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1280-8-0x0000000004E80000-0x0000000004EC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1280-0-0x0000000000FA0000-0x0000000001074000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1280-2-0x0000000004E80000-0x0000000004EC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1280-1-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1280-35-0x0000000074020000-0x000000007470E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2512-33-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2512-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2512-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2512-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2512-31-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2512-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2512-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2512-36-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2512-37-0x0000000072D20000-0x000000007340E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2512-38-0x0000000000340000-0x0000000000380000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-52-0x0000000000340000-0x0000000000380000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2512-51-0x0000000072D20000-0x000000007340E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2684-45-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2684-42-0x000000006EEA0000-0x000000006F44B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2684-46-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2684-47-0x00000000025E0000-0x0000000002620000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2684-50-0x000000006EEA0000-0x000000006F44B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2684-39-0x000000006EEA0000-0x000000006F44B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2876-43-0x000000006EEA0000-0x000000006F44B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2876-41-0x0000000002300000-0x0000000002340000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2876-44-0x0000000002300000-0x0000000002340000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2876-48-0x0000000002300000-0x0000000002340000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2876-49-0x000000006EEA0000-0x000000006F44B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2876-40-0x000000006EEA0000-0x000000006F44B000-memory.dmp

    Filesize

    5.7MB

    Download