Overview

overview

10

Static

static

3

27e45037b1...e7.exe

windows7-x64

10

27e45037b1...e7.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    142s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2023 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27e45037b1b654116d2b38935319922820388546c717ace1223236fe37740ee7.exe

  • Size

    422KB

  • MD5

    50541c2cd38eed9db2a65faa10fdc877

  • SHA1

    432affdf4626871c032cdb0d0432c9c91897df5b

  • SHA256

    27e45037b1b654116d2b38935319922820388546c717ace1223236fe37740ee7

  • SHA512

    e8ece503b2e96f314b9e480396a93cc3e6af2141488ed92e8bd76c75d6b3a5263ae57b28a09f87847aef238538c0b532eed833d1fdd0dc974cf7fdb6c408d96d

  • SSDEEP

    6144:P8LxBgQA9EWGEbktNxLahPW9DOzyAoXYwNF6dGtGW62WYFbNAKw6kOMw:gAVfbMNx+ZhyAoXNievWmvrMw

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27e45037b1b654116d2b38935319922820388546c717ace1223236fe37740ee7.exe
    "C:\Users\Admin\AppData\Local\Temp\27e45037b1b654116d2b38935319922820388546c717ace1223236fe37740ee7.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\uzqlnsntz.exe
      "C:\Users\Admin\AppData\Local\Temp\uzqlnsntz.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1404
      • C:\Users\Admin\AppData\Local\Temp\uzqlnsntz.exe
        "C:\Users\Admin\AppData\Local\Temp\uzqlnsntz.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1980

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\putvzfwr.d
    Filesize

    333KB

    MD5

    ebc1fae6e8f6d444d9680e694db83f04

    SHA1

    94b0aa53a92eb358ac7ae597b8a505c334af5cd3

    SHA256

    1338136538526c0d93b51a6085e1dba6a741c32c6cf4322c48f6d78ff5dcfb6a

    SHA512

    64c8b17241d76d0ee81da3c77b4f04f1af28be31426b14140824957834f047c90dba4fd5d287b1d467eaab7ad2e3655ffce4ef1fa8562e6f2f6c5dfe62882c6b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uzqlnsntz.exe
    Filesize

    174KB

    MD5

    414ba01a5a8be61ea11f33c49f249a96

    SHA1

    feddcbee54dfad2b95726322814f3abf0015285a

    SHA256

    3b5fdd55bb5f0beaeb6343735cb4a17f7c0ad994c78b0ed07de21c20a2debfcd

    SHA512

    f599bd6edb94bf7b6b0bcb94660bc382b857834757303c9afc80bd61bbaa06ff71c586a90e5357a29d29c38b3c932710d4c9afb6b686485783e34480f228e454

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uzqlnsntz.exe
    Filesize

    174KB

    MD5

    414ba01a5a8be61ea11f33c49f249a96

    SHA1

    feddcbee54dfad2b95726322814f3abf0015285a

    SHA256

    3b5fdd55bb5f0beaeb6343735cb4a17f7c0ad994c78b0ed07de21c20a2debfcd

    SHA512

    f599bd6edb94bf7b6b0bcb94660bc382b857834757303c9afc80bd61bbaa06ff71c586a90e5357a29d29c38b3c932710d4c9afb6b686485783e34480f228e454

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uzqlnsntz.exe
    Filesize

    174KB

    MD5

    414ba01a5a8be61ea11f33c49f249a96

    SHA1

    feddcbee54dfad2b95726322814f3abf0015285a

    SHA256

    3b5fdd55bb5f0beaeb6343735cb4a17f7c0ad994c78b0ed07de21c20a2debfcd

    SHA512

    f599bd6edb94bf7b6b0bcb94660bc382b857834757303c9afc80bd61bbaa06ff71c586a90e5357a29d29c38b3c932710d4c9afb6b686485783e34480f228e454

    Download Submit

  • \Users\Admin\AppData\Local\Temp\uzqlnsntz.exe
    Filesize

    174KB

    MD5

    414ba01a5a8be61ea11f33c49f249a96

    SHA1

    feddcbee54dfad2b95726322814f3abf0015285a

    SHA256

    3b5fdd55bb5f0beaeb6343735cb4a17f7c0ad994c78b0ed07de21c20a2debfcd

    SHA512

    f599bd6edb94bf7b6b0bcb94660bc382b857834757303c9afc80bd61bbaa06ff71c586a90e5357a29d29c38b3c932710d4c9afb6b686485783e34480f228e454

    Download Submit

  • \Users\Admin\AppData\Local\Temp\uzqlnsntz.exe
    Filesize

    174KB

    MD5

    414ba01a5a8be61ea11f33c49f249a96

    SHA1

    feddcbee54dfad2b95726322814f3abf0015285a

    SHA256

    3b5fdd55bb5f0beaeb6343735cb4a17f7c0ad994c78b0ed07de21c20a2debfcd

    SHA512

    f599bd6edb94bf7b6b0bcb94660bc382b857834757303c9afc80bd61bbaa06ff71c586a90e5357a29d29c38b3c932710d4c9afb6b686485783e34480f228e454

    Download Submit

  • memory/1404-14-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1404-6-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1980-10-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1980-13-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1980-15-0x0000000000400000-0x0000000000452000-memory.dmp

    Filesize

    328KB

    Download

  • memory/1980-16-0x0000000073A90000-0x000000007417E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1980-18-0x00000000046B0000-0x00000000046F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1980-17-0x0000000001EE0000-0x0000000001F22000-memory.dmp

    Filesize

    264KB

    Download

  • memory/1980-19-0x00000000046B0000-0x00000000046F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1980-20-0x00000000046B0000-0x00000000046F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1980-22-0x0000000073A90000-0x000000007417E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1980-23-0x00000000046B0000-0x00000000046F0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/1980-25-0x00000000046B0000-0x00000000046F0000-memory.dmp

    Filesize

    256KB

    Download