Overview

overview

10

Static

static

3

0e2c9248cc...2b.exe

windows7-x64

10

0e2c9248cc...2b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/12/2023, 19:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e2c9248cc88052d8fdd8d4b9399772b.exe

  • Size

    314KB

  • MD5

    0e2c9248cc88052d8fdd8d4b9399772b

  • SHA1

    9846115f79d650bfc25803e7e521259882822d61

  • SHA256

    b38ba88413ce3a2d4519969c92be6cf9f9e6b75c32fc80aa1b5b8336836c23e4

  • SHA512

    0fcccda878b9c5b8c68d77bce2f45fe605c6f71b208e8a0e421d94f7b501c7cd9aba916a18eea4a8ffaff178e7f34f464c1140f51ae8cb421a2b5a67534e9f83

  • SSDEEP

    6144:zLTfGueEAmg+NEo5YS01+7uAz1c0xaDHmI7qY:jfGbEAmDv2S0IIGIt

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot1898788581:AAEbsCzTih-rxVDH11H9U8nZ_h_9VfJgvh4/sendDocument

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e2c9248cc88052d8fdd8d4b9399772b.exe
    "C:\Users\Admin\AppData\Local\Temp\0e2c9248cc88052d8fdd8d4b9399772b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4588
    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
      "C:\Users\Admin\AppData\Local\Temp\0e2c9248cc88052d8fdd8d4b9399772b.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:4704

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4588-1-0x0000000000AE0000-0x0000000000BE0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/4588-2-0x0000000001460000-0x0000000001462000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4704-3-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4704-4-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4704-6-0x00000000017A0000-0x00000000017B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4704-5-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4704-7-0x00000000017A0000-0x00000000017B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4704-8-0x00000000749C0000-0x0000000074F71000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/4704-9-0x00000000017A0000-0x00000000017B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4704-10-0x00000000017A0000-0x00000000017B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4704-11-0x00000000017A0000-0x00000000017B0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4704-12-0x00000000017A0000-0x00000000017B0000-memory.dmp

    Filesize

    64KB

    Download