Overview

overview

10

Static

static

3

MEGA_UPDATED.exe

windows7-x64

10

MEGA_UPDATED.exe

windows10-2004-x64

10

MEGA_UPDATED.exe

macos-10.15-amd64

1

Analysis

  • max time kernel
    29s
  • max time network
    30s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231130-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-12-2023 13:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MEGA_UPDATED.exe

  • Size

    3.4MB

  • MD5

    7a2175a604e95018790d38067eba2a89

  • SHA1

    e6023118821c117c2db23098e63b5dc50a4ded00

  • SHA256

    4e378a7de4a63a76a966ac25f754337bdf511fb24964dbaac7c03ac73103891b

  • SHA512

    3c91f92721fd937c78c54cedb74ee87356f0fb01a876b035333ad1a8ecfa63143685d8575145da7a9f48ece3fa1e81a751a6f8e2c6a9f26051375853094dfac8

  • SSDEEP

    49152:RwvTHrg5igXalMD79PjYm3DMdQrp5ZVPEJXzR81XiGRuHDOXG:RIHrgt8RQrp5TMZRSSA0j

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\MEGA_UPDATED.exe
    "C:\Users\Admin\AppData\Local\Temp\MEGA_UPDATED.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/nerestpc_bot
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2648
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9a6a46f8,0x7ffa9a6a4708,0x7ffa9a6a4718
        3⤵
          PID:2368
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
          3⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:388
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
          3⤵
            PID:1016
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
            3⤵
              PID:3216
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
              3⤵
                PID:3608
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                3⤵
                  PID:4516
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
                  3⤵
                    PID:3484
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
                    3⤵
                      PID:5424
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5052 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:5440
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
                      3⤵
                        PID:5596
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5356 /prefetch:1
                        3⤵
                          PID:5588
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
                          3⤵
                            PID:5816
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,13651664843040392113,4258073205672991866,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5048 /prefetch:1
                            3⤵
                              PID:5808
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:800
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4440

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              152B

                              MD5

                              8f0cdba3e639a70bf26cf85d538ce1a8

                              SHA1

                              b457faa0d6c55d56d61167674f734f54c978639b

                              SHA256

                              c1e48c2dfaeb607efc713e1b5c01d1ee8a9491d8f3a2a5f4f3887e6c1f8c2f63

                              SHA512

                              3c270fc58170c37f51427aac2d3092ddbbc17832556718612cebb0c32c04e7e3b7e157969d458a4b9c3e8bf781c23489319338960cefb5cf530673f2b8f81609

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                              Filesize

                              72B

                              MD5

                              c24b7672a48a77b36dc6683409ee9eba

                              SHA1

                              469c2b6e8aeb68529b3bcee1244cddc9d7c738ad

                              SHA256

                              b1b4677a833a91a1a6ad638150edb05320047ddc371a473e0eeb065dac7c071d

                              SHA512

                              2c20b05a1a042ba4b43c6ebbeb34c9aa45f3d18608fbb71b3218f74a34831fdd918faf030322755d791070e81edbdc44ab52cfe3beb9dc40e71d7d51b777506e

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                              Filesize

                              111B

                              MD5

                              285252a2f6327d41eab203dc2f402c67

                              SHA1

                              acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                              SHA256

                              5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                              SHA512

                              11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                              Filesize

                              442B

                              MD5

                              bc8d6504f31a9dd7eee1295c3bc361d1

                              SHA1

                              bc5ee3dcec4f3403066aff767fdce32493188417

                              SHA256

                              c809414b84c3e54f02b90b80d66e6d6dfa2fee5f3636fe98a94d48709ec0bb85

                              SHA512

                              4d7e685fe2030026b9c4d0d970959706cb2dc60a72de04af26a740afea01124d790bb3253d9184da6bd92fd0301e57c14db3fcbc6bbb197d16be58643b8436ad

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              3cf8a191b9beb45e3b59bbb7e8044c07

                              SHA1

                              6edced70b9525c905d5f8e89e088485aaa284975

                              SHA256

                              b0076d1fc38c277937b26f00a2dff440adc947a3aac24b29c17f7fa37d8658c2

                              SHA512

                              810e40641887cab103ca0d972ad6f07c32af6424be89f58b4e669f658c0f486865425746b80a5c8b061ba072490864e6716e31fa6cb824a9cc80b7d0bfc540cc

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              5KB

                              MD5

                              c73639db2a60576a7a2b07768a4a0696

                              SHA1

                              ff87185ce55f9255ea2e38842175fd55f5bc40ae

                              SHA256

                              802a23cebad9cfc50a95241df6c3f02d428a284430094ee369c0a342d6b4caa8

                              SHA512

                              054d9e787ffa540a9041f4cfb1f6b3cb7453c6822b793f651e4db1ece5ce465559b76d79e71368a512f398475017ebf5c54eca99b93f275561cf3579b742b171

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                              Filesize

                              6KB

                              MD5

                              6d43c9c10971d560fc89bfb109632103

                              SHA1

                              37f40b633bc431027aa14e2d560108eb78bbab47

                              SHA256

                              5f82ccb2267998cd4a94d292bdf05477f0e4434272da3fd40455f9fd6fdcd31a

                              SHA512

                              c996c1b70d84371fa517dffb251bbd6fafd4efe030e0949bfb185ce2d67680e6342e1648341fd9026aa09c151be26c8c726fb1b699ef018681c855d9b6bf9cff

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
                              Filesize

                              24KB

                              MD5

                              8f472f5706f7f7e9508673402592ad03

                              SHA1

                              18e3a5699bbba3203e3876d0d28c560a5e6a9c03

                              SHA256

                              a98515127ff6537a7c2249265c6f4385320472a03127dc3d47c0d19eb2510d09

                              SHA512

                              7f1cfd39e3e078b180c6636822265565d07ee13929043095db13cfbadfcda476893244184aae3b204eee4f46a481e317455a8a96301982faac30ae3a82898234

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              e7b0f111a74f4e9d346f9742bd13b303

                              SHA1

                              3d01ae906b835c486dbed051675b1708a540f0b9

                              SHA256

                              e94de86337b6c308b3b09d011dba06c6a97d85d85c45f835ad4984bcf2343ab6

                              SHA512

                              777538de2c2201b2206b6ba1a9103c1c72fa96e3cc74f2f13a20be16cf6a9a0cd849356ce8547b31d8ae168dbe9725806e4edc30d85e3037b1ff3c18729f9f4c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              11KB

                              MD5

                              977434bbbd7b8551dbb12c9a53ea3442

                              SHA1

                              8b6edc45b547e06bf7b0bc6965edb0432a31c829

                              SHA256

                              9f5ad67e104350eba817a944b9c790a1191eb8292b2e7f988debcac784e11147

                              SHA512

                              5c282d90122950acecddbb5c7a5b9f25733f81e8e750fb487ca0d3a1c26ac922b91d4f69e27ddff84fc06e284769a4994bd5f0b4d290f3b631daefa34509daee

                              Download Submit

                            • memory/2840-6-0x000001E0F6060000-0x000001E0F6070000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2840-41-0x000001E0F6060000-0x000001E0F6070000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2840-8-0x000001E0F6060000-0x000001E0F6070000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2840-69-0x000001E0F6060000-0x000001E0F6070000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2840-7-0x000001E0F6060000-0x000001E0F6070000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2840-4-0x000001E0F6BC0000-0x000001E0F6CA0000-memory.dmp

                              Filesize

                              896KB

                              Download

                            • memory/2840-0-0x000001E0F37C0000-0x000001E0F3B22000-memory.dmp

                              Filesize

                              3.4MB

                              Download

                            • memory/2840-5-0x000001E0F6CA0000-0x000001E0F6EB6000-memory.dmp

                              Filesize

                              2.1MB

                              Download

                            • memory/2840-100-0x000001E0F6060000-0x000001E0F6070000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2840-3-0x000001E0F5790000-0x000001E0F5791000-memory.dmp

                              Filesize

                              4KB

                              Download

                            • memory/2840-2-0x000001E0F6060000-0x000001E0F6070000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/2840-1-0x00007FFA9FDC0000-0x00007FFAA0881000-memory.dmp

                              Filesize

                              10.8MB

                              Download

                            • memory/2840-9-0x00007FFA9FDC0000-0x00007FFAA0881000-memory.dmp

                              Filesize

                              10.8MB

                              Download