Overview

overview

10

Static

static

3

SecuriteIn...98.exe

windows7-x64

10

SecuriteIn...98.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231023-en
  • resource tags

    arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
  • submitted
    11-12-2023 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.4898.exe

  • Size

    612KB

  • MD5

    7c136f72ed32e4ea0265922ba6308b0b

  • SHA1

    aa09251be76828379f94f71366c9b2310cca8670

  • SHA256

    1c1ffe1a97f66ee3f36058ba41beda34fe52b2a4ff3e10dbf487d3ead8ca8432

  • SHA512

    a1da550da0ee6ec1132bc619dd3891a48764b965b9a6337d4c4ea56ab36d4bfbe687f2003105a647b878abcc5275d1876324e06d14a0b35d33d68c7286216430

  • SSDEEP

    12288:63IU8S6eUdL0s4KmzUVaEUdtwP6tqWzBDsIt1EEUGGC3tUAY:QItSAdL0kZcdc6971EEa6t

Score
10/10
agentteslazgratkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect ZGRat V1 1 IoCs
  • ZGRat

    ZGRat is remote access trojan written in C#.

    ratzgrat
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4898.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4898.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4898.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.4898.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2608

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2608-13-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-15-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-8-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-9-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-20-0x0000000074560000-0x0000000074C4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2608-19-0x0000000074560000-0x0000000074C4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2608-18-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-7-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-10-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-21-0x0000000004B80000-0x0000000004BC0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2608-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2924-2-0x00000000049D0000-0x0000000004A10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2924-0-0x0000000001260000-0x0000000001300000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2924-1-0x0000000074560000-0x0000000074C4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2924-17-0x0000000074560000-0x0000000074C4E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2924-6-0x00000000059F0000-0x0000000005A6A000-memory.dmp

    Filesize

    488KB

    Download

  • memory/2924-5-0x00000000004A0000-0x00000000004AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2924-4-0x0000000000360000-0x0000000000368000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2924-3-0x0000000000440000-0x0000000000458000-memory.dmp

    Filesize

    96KB

    Download