Overview

overview

10

Static

static

3

259206e6fb...96.exe

windows7-x64

10

259206e6fb...96.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    126s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 03:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    259206e6fbda6b46e6499e518adcaf96.exe

  • Size

    613KB

  • MD5

    259206e6fbda6b46e6499e518adcaf96

  • SHA1

    3c2a4bb622685d3e250d4566d25aa244e18f0086

  • SHA256

    fed60d381e993a084cbde0147f445309d00a69b6be01aeebace31acdb424a91f

  • SHA512

    9f2d873a853ed0494cb7326286c0dd2e338b5422ecbd221f9bda831a205953ece096e297c248a89f477f7e89755b204ab7181fb2c991df489e3270b62aa42c6f

  • SSDEEP

    12288:H12OsBgo0q4wM/VkGjkfoX89JrFM02XweWFdPcYiQAqwQikKCTwE47:4OsBgo0q4wM2ykfosfriwPFdPKQAqwMn

Score
10/10
agentteslacollectionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.ggraco.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    admin@#1235

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 6 IoCs
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\259206e6fbda6b46e6499e518adcaf96.exe
    "C:\Users\Admin\AppData\Local\Temp\259206e6fbda6b46e6499e518adcaf96.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\259206e6fbda6b46e6499e518adcaf96.exe
      "C:\Users\Admin\AppData\Local\Temp\259206e6fbda6b46e6499e518adcaf96.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:2680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2368-0-0x0000000000010000-0x00000000000B0000-memory.dmp

    Filesize

    640KB

    Download

  • memory/2368-1-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2368-2-0x0000000004E20000-0x0000000004E60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2368-3-0x0000000000460000-0x0000000000472000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2368-4-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2368-5-0x0000000004E20000-0x0000000004E60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2368-6-0x0000000005110000-0x0000000005192000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2368-7-0x00000000006F0000-0x0000000000730000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2368-20-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2680-22-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2680-23-0x0000000001FD0000-0x0000000002010000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2680-21-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2680-18-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2680-16-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2680-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2680-12-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2680-10-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2680-9-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2680-8-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2680-24-0x00000000748A0000-0x0000000074F8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2680-25-0x0000000001FD0000-0x0000000002010000-memory.dmp

    Filesize

    256KB

    Download