Overview

overview

10

Static

static

3

purchase orders.exe

windows7-x64

10

purchase orders.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    132s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231127-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-12-2023 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    purchase orders.exe

  • Size

    407KB

  • MD5

    e9f8fff3341f84d5f76570fd5068b8b5

  • SHA1

    7daebfd9193ff0c4925523d470d71ff12d692f98

  • SHA256

    86608bbc9a9aa6e01636680205ef421bc37aeff7312960a821989f1eea7b3540

  • SHA512

    80fcd35320752592e7e163b5d50df19c01d061596bc411e0de7a666c156f28973b11fc8760c56a64382b22ddaf2c6aa05092ba1aba496970a0afcf7e6ed935ec

  • SSDEEP

    12288:D9WEeYF2adf4qD7Wz+oHvu7oUgLCPj4tF2:D9WEeJhM35UUGAwU

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.karthikagro.in
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Yenks@0910

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\purchase orders.exe
    "C:\Users\Admin\AppData\Local\Temp\purchase orders.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
      "C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
        "C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe"
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\gdiyqwb.im
    Filesize

    334KB

    MD5

    7e9a72d139878ecf2699b44f890e14b8

    SHA1

    23a55bd2a648fe65dc25356beb5be8c44d718147

    SHA256

    545fed32d85fd13dee67e82dba632a2a8f54f7c9a101ef68136c457f5ad6b4e2

    SHA512

    bc1d5687488fbff994ac89e149c0607fa02a129742536dd4939f8fc1a3c5815377d17d7c35d197a6b0eac423d44606b8d690ec49ac3dc5992763dc449b414331

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
    Filesize

    169KB

    MD5

    c9fd2ae104aacc62a6d543db3bdf70b2

    SHA1

    4111132302640eaed75782acbe3541c73df03c3a

    SHA256

    66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

    SHA512

    706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
    Filesize

    169KB

    MD5

    c9fd2ae104aacc62a6d543db3bdf70b2

    SHA1

    4111132302640eaed75782acbe3541c73df03c3a

    SHA256

    66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

    SHA512

    706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uxtaxvs.exe
    Filesize

    169KB

    MD5

    c9fd2ae104aacc62a6d543db3bdf70b2

    SHA1

    4111132302640eaed75782acbe3541c73df03c3a

    SHA256

    66da97b966ac27a59f60aceabad03fb2f5cc74f958147e4031dc7ae188d002df

    SHA512

    706503ba49ecdfb165f2e4d57f71eb7294fdf8f95c4f82e96097251f09d94f56aa32ac27a8c004099e6cb03ad9eab32e428eb06146e6e0178bf19d2c458e26fa

    Download Submit

  • memory/1596-17-0x0000000004B00000-0x0000000004B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-14-0x00000000024A0000-0x00000000024E2000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1596-12-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1596-32-0x0000000004B00000-0x0000000004B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-10-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1596-8-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1596-15-0x00000000742C0000-0x0000000074A70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1596-18-0x0000000004B00000-0x0000000004B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-31-0x0000000004B00000-0x0000000004B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-16-0x0000000004B00000-0x0000000004B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-19-0x0000000004B10000-0x00000000050B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1596-13-0x0000000000400000-0x0000000000453000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1596-20-0x0000000004B00000-0x0000000004B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-21-0x0000000004A50000-0x0000000004AB6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/1596-22-0x0000000005FC0000-0x0000000006010000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1596-23-0x0000000006020000-0x00000000060BC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1596-25-0x00000000742C0000-0x0000000074A70000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/1596-26-0x0000000004B00000-0x0000000004B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-27-0x0000000004B00000-0x0000000004B10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1596-28-0x0000000006140000-0x00000000061D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1596-29-0x0000000006260000-0x000000000626A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4656-5-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4656-11-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download