Overview

overview

10

Static

static

10

сентя...49.exe

windows7-x64

10

сентя...49.exe

windows10-2004-x64

10

сентя...df.exe

windows7-x64

10

сентя...df.exe

windows10-2004-x64

10

сентя...5d.exe

windows7-x64

8

сентя...5d.exe

windows10-2004-x64

8

сентя...ba.exe

windows7-x64

10

сентя...ba.exe

windows10-2004-x64

10

сентя...bd.exe

windows7-x64

7

сентя...bd.exe

windows10-2004-x64

7

сентя...14.exe

windows7-x64

3

сентя...14.exe

windows10-2004-x64

3

сентя...04.exe

windows7-x64

10

сентя...04.exe

windows10-2004-x64

10

сентя...73.exe

windows7-x64

10

сентя...73.exe

windows10-2004-x64

сентя...4b.exe

windows7-x64

1

сентя...4b.exe

windows10-2004-x64

10

сентя...ee.exe

windows7-x64

3

сентя...ee.exe

windows10-2004-x64

7

сентя...75.exe

windows7-x64

3

сентя...75.exe

windows10-2004-x64

7

сентя...53.exe

windows7-x64

10

сентя...53.exe

windows10-2004-x64

сентя...fa.exe

windows7-x64

10

сентя...fa.exe

windows10-2004-x64

10

сентя...e3.exe

windows7-x64

10

сентя...e3.exe

windows10-2004-x64

10

сентя...3a.exe

windows7-x64

3

сентя...3a.exe

windows10-2004-x64

3

сентя...25.exe

windows7-x64

10

сентя...25.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    354s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2023 02:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    сентябрь 2023(570)/0817f4e9a329fa90fba9136d6ba89a75cd7c3e78dffdd4d75f116f18c9610e25.exe

  • Size

    401KB

  • MD5

    f111e4ac9108f1bdbb1205b23abe1d28

  • SHA1

    66484a2da4e8a5c63c2f0ff551c281b9b9e031cc

  • SHA256

    0817f4e9a329fa90fba9136d6ba89a75cd7c3e78dffdd4d75f116f18c9610e25

  • SHA512

    b2c032ba315415b15ef8e020f4472c29e56e3a1de69a2e126bfd5c5ca2581ffdcd7cb17fffb0656c4306b058fc740d1bb31dc165eaff447896faf9254bd7bdf7

  • SSDEEP

    12288:GYIro7VTc2oUVyl793J0rUrWbcG9m+gkOYTth:GYKo5Tcu0993Sgi94gOGth

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Executes dropped EXE 2 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\сентябрь 2023(570)\0817f4e9a329fa90fba9136d6ba89a75cd7c3e78dffdd4d75f116f18c9610e25.exe
    "C:\Users\Admin\AppData\Local\Temp\сентябрь 2023(570)\0817f4e9a329fa90fba9136d6ba89a75cd7c3e78dffdd4d75f116f18c9610e25.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:440
    • C:\Users\Admin\AppData\Local\Temp\qjtrdfqx.exe
      "C:\Users\Admin\AppData\Local\Temp\qjtrdfqx.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Users\Admin\AppData\Local\Temp\qjtrdfqx.exe
        "C:\Users\Admin\AppData\Local\Temp\qjtrdfqx.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • outlook_office_path
        • outlook_win_path
        PID:4040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

3
T1552

Credentials In Files

3
T1552.001

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\niqbknyexq.ia
    Filesize

    336KB

    MD5

    dc6713ed93b2207523fc05e463708bf9

    SHA1

    3f06025d52cde6af57781f3977908c26cc23b38d

    SHA256

    5de782b12df19e55fffb73f425c4ee16ee0cb351dc2de3f2e96d921b026528b8

    SHA512

    31df1193a563f68879bffd51d15b799327e389cec57dc4c5f451abfc703e15d08c06ffb313967b1cce1cd734396fd6766f5f6838b2753c07f4d88ed18348bb2e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\qjtrdfqx.exe
    Filesize

    165KB

    MD5

    13c5a699c800ce394b83653875357e42

    SHA1

    747f3d620a23fc89ce381316e02cb5b0096bd471

    SHA256

    a64300aad7826895f5e75bef649d58aaeabb180b482d13812efcac6fa658e0be

    SHA512

    f1be67fceaaf7908b4382a45cdfd08cf5d3dc651145db9ac0fc0a4ba33c8d5809420f87d594ca06b15f1b754378f45367f85d9137b562e9d0cb43d7f192739a9

    Download Submit
  • memory/3712-5-0x0000000000E60000-0x0000000000E62000-memory.dmp
    Filesize

    8KB

    Download
  • memory/4040-16-0x00000000052A0000-0x00000000052B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4040-18-0x0000000005860000-0x0000000005E04000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4040-10-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/4040-12-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/4040-13-0x0000000074200000-0x00000000749B0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4040-14-0x00000000052A0000-0x00000000052B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4040-15-0x0000000005180000-0x00000000051C2000-memory.dmp
    Filesize

    264KB

    Download
  • memory/4040-7-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/4040-17-0x00000000052A0000-0x00000000052B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4040-9-0x0000000000400000-0x0000000000453000-memory.dmp
    Filesize

    332KB

    Download
  • memory/4040-19-0x0000000005420000-0x0000000005486000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4040-20-0x0000000006880000-0x00000000068D0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4040-21-0x0000000006970000-0x0000000006A02000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4040-22-0x0000000006B10000-0x0000000006B1A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4040-23-0x0000000074200000-0x00000000749B0000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4040-24-0x00000000052A0000-0x00000000052B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4040-25-0x00000000052A0000-0x00000000052B0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4040-26-0x00000000052A0000-0x00000000052B0000-memory.dmp
    Filesize

    64KB

    Download