Overview

overview

10

Static

static

3

PDF.exe

windows7-x64

10

PDF.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    29s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    05-12-2023 17:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PDF.exe

  • Size

    711KB

  • MD5

    72974b75ad00da73e07b976b73c5afb6

  • SHA1

    094208c0eedb674553d1b7c0a99e46599d75acff

  • SHA256

    faf02d9acd5877e620c4fb200895a1306a555baedc6b5e7072a4928a1a39a20a

  • SHA512

    e708b48b2fabbe96eb78e0021dba6acb63078c413a0ad9063f6204c36357a867da9e883e02f7c1def0a5a6ec7a2596cfedda715beb483691b4434725f440d851

  • SSDEEP

    12288:j/bwLijBoKwyg+ldzxhPD4eu6fvLSReBFmPbSCcWCODgNjsyrroyVMx:jDKzyjlntS6GReuVvDgNjsyno

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PDF.exe
    "C:\Users\Admin\AppData\Local\Temp\PDF.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1244
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\YBGbQTeOWq.exe"
      2⤵
        PID:2436
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YBGbQTeOWq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9DC5.tmp"
        2⤵
        • Creates scheduled task(s)
        PID:2448
      • C:\Users\Admin\AppData\Local\Temp\PDF.exe
        "C:\Users\Admin\AppData\Local\Temp\PDF.exe"
        2⤵
          PID:2728

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp9DC5.tmp
        Filesize

        1KB

        MD5

        dfcbc3de3b90c15204badab89f3183df

        SHA1

        d33e92a410a8bb0fa853d9ea4ccde1dbfca67adc

        SHA256

        bcdb47bee193c9caa3663029a597ff8e7e79dc471fed015b2b522dcbd952f8dd

        SHA512

        6a2ce94d5f14ce0ed87d8040e91b0b0f716a25b8179a152b70186e9e31f92125a1a96595dd5a6079f94a11156ef0d2736934a1e457ea927da2f8081b9306bf0a

        Download Submit

      • memory/1244-8-0x0000000004DE0000-0x0000000004E20000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1244-1-0x0000000073F40000-0x000000007462E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1244-3-0x0000000001E80000-0x0000000001E98000-memory.dmp

        Filesize

        96KB

        Download

      • memory/1244-4-0x0000000000570000-0x0000000000576000-memory.dmp

        Filesize

        24KB

        Download

      • memory/1244-5-0x0000000000590000-0x000000000059A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/1244-6-0x0000000005A00000-0x0000000005A7A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/1244-2-0x0000000004DE0000-0x0000000004E20000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1244-0-0x00000000009A0000-0x0000000000A58000-memory.dmp

        Filesize

        736KB

        Download

      • memory/1244-7-0x0000000073F40000-0x000000007462E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1244-23-0x0000000073F40000-0x000000007462E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2436-34-0x0000000073DE0000-0x000000007438B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2436-31-0x0000000073DE0000-0x000000007438B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2436-32-0x0000000002730000-0x0000000002770000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2436-30-0x0000000073DE0000-0x000000007438B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2436-33-0x0000000002730000-0x0000000002770000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2728-22-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2728-18-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2728-20-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2728-29-0x0000000004AE0000-0x0000000004B20000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2728-28-0x0000000072E50000-0x000000007353E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2728-17-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2728-16-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2728-15-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2728-14-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2728-25-0x0000000000400000-0x0000000000440000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2728-35-0x0000000072E50000-0x000000007353E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2728-36-0x0000000004AE0000-0x0000000004B20000-memory.dmp

        Filesize

        256KB

        Download