Overview

overview

10

Static

static

3

a2ed4963df...86.exe

windows7-x64

10

a2ed4963df...86.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    42s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    07-01-2024 19:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a2ed4963dfd45090c2112b7ba2422f86.exe

  • Size

    453KB

  • MD5

    a2ed4963dfd45090c2112b7ba2422f86

  • SHA1

    2bcef9993ffb483d5b7a8d482c00d33c71a28a02

  • SHA256

    bcdf684939411112be33475b5422edf1f6b8219b0f1b786e1ad222d2ebbca6c1

  • SHA512

    57891e845c2dcaf071ef6e5bae4a6cbb93789f563d84481d1447d4c36aa9f4f13f9d32d743672d8dcd293c1129c2f14e23804f7a19aaa8e0a3e9378e04b4d911

  • SSDEEP

    6144:2Eul21llAVOCt6ZJJbrr8pMnGdBI+cHGBJqaavKrfO2zPmuliN63z3BlO:WEiCtIKGdBIjqJWKqpugN63H

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.mohhg.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    r:1{cNw4}vJc

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a2ed4963dfd45090c2112b7ba2422f86.exe
    "C:\Users\Admin\AppData\Local\Temp\a2ed4963dfd45090c2112b7ba2422f86.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1972
    • C:\Users\Admin\AppData\Local\Temp\a2ed4963dfd45090c2112b7ba2422f86.exe
      "{path}"
      2⤵
        PID:2864
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 520
          3⤵
            PID:2128
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tQsJxm" /XML "C:\Users\Admin\AppData\Local\Temp\tmpABF8.tmp"
          2⤵
          • Creates scheduled task(s)
          PID:2596

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1972-21-0x0000000074DC0000-0x000000007536B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1972-1-0x00000000022D0000-0x0000000002310000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1972-0-0x0000000074DC0000-0x000000007536B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1972-4-0x00000000022D0000-0x0000000002310000-memory.dmp

        Filesize

        256KB

        Download

      • memory/1972-3-0x0000000074DC0000-0x000000007536B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/1972-2-0x0000000074DC0000-0x000000007536B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2128-27-0x0000000000380000-0x0000000000381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2864-22-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2864-13-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2864-23-0x0000000074810000-0x0000000074DBB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2864-26-0x0000000074810000-0x0000000074DBB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2864-19-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2864-17-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2864-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2864-24-0x00000000021F0000-0x0000000002230000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2864-11-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2864-10-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2864-8-0x0000000000400000-0x000000000043C000-memory.dmp

        Filesize

        240KB

        Download

      • memory/2864-25-0x0000000074810000-0x0000000074DBB000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/2864-29-0x00000000021F0000-0x0000000002230000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2864-28-0x0000000074810000-0x0000000074DBB000-memory.dmp

        Filesize

        5.7MB

        Download