Overview

overview

10

Static

static

3

Quotation.exe

windows7-x64

10

Quotation.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    19s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231201-en
  • resource tags

    arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Quotation.exe

  • Size

    830KB

  • MD5

    985225f6ec19a166c50bd5d0e16d330f

  • SHA1

    9022950aa9cef1cc010c636a97b229e30d0002b0

  • SHA256

    82cb6a221ee2b2c0c0f43139765407c713ff6980d966544f71f351c66928a4da

  • SHA512

    a4d5576cc36994ae0d6bfa0545961370f429bd8a4e875a65e77f6f4cf522dbf1fa82fb5491b593f26178a6a27c8c1b54214b06c29b43a6c2e09908ab4361d5a0

  • SSDEEP

    24576:koPOk+pJZDI7EeT/ZhOX0IAmQeY14VDjh:nyJ6ZT/Zh3IAmQ5qD

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vaTUux" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5293.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2316
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\vaTUux.exe"
      2⤵
        PID:2296
      • C:\Users\Admin\AppData\Local\Temp\Quotation.exe
        "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
        2⤵
          PID:2760

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp5293.tmp
        Filesize

        1KB

        MD5

        6406b41d7aa867306a49c35cb9a810d6

        SHA1

        55e9854b94cfa021615980cfe9aac8171d4f2cf0

        SHA256

        dd75a58d85d02f95e1b02cb8786d593569d7bec21022198610ffda6a16eff19a

        SHA512

        813ffbcc44fe02c44cb8bf6c01f62ecf49617da1cfc69b8c3825bc371fb2c249d0e6b1dc17193918fc76f6f6de6168d1fc9c2328e2c2d424cb76c1156bb78a67

        Download Submit

      • memory/2296-33-0x000000006EF00000-0x000000006F4AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2296-29-0x000000006EF00000-0x000000006F4AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2296-32-0x000000006EF00000-0x000000006F4AB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2296-30-0x00000000027C0000-0x0000000002800000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2332-27-0x0000000074AD0000-0x00000000751BE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2332-6-0x0000000005260000-0x00000000052DA000-memory.dmp

        Filesize

        488KB

        Download

      • memory/2332-5-0x0000000000550000-0x000000000055A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2332-1-0x0000000074AD0000-0x00000000751BE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2332-2-0x0000000000960000-0x00000000009A0000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2332-3-0x0000000000520000-0x0000000000538000-memory.dmp

        Filesize

        96KB

        Download

      • memory/2332-4-0x00000000004D0000-0x00000000004D8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2332-0-0x00000000009B0000-0x0000000000A86000-memory.dmp

        Filesize

        856KB

        Download

      • memory/2760-31-0x0000000004BC0000-0x0000000004C00000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2760-22-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2760-28-0x0000000074AD0000-0x00000000751BE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2760-24-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2760-26-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2760-16-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2760-14-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2760-13-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2760-12-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2760-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2760-34-0x0000000074AD0000-0x00000000751BE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2760-35-0x0000000004BC0000-0x0000000004C00000-memory.dmp

        Filesize

        256KB

        Download