Overview

overview

10

Static

static

5

Request fo...on.exe

windows7-x64

10

Request fo...on.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/01/2024, 15:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Request for Quotation.exe

  • Size

    1.2MB

  • MD5

    2d1a2917063ab6a3daf54b06c176e9c0

  • SHA1

    6589a7945673b9d69e0bb0680159593d73618b97

  • SHA256

    020006147733cd39dbed723e787cb597c9d65332eeb5792a30c0bdba0fca5df5

  • SHA512

    f6c4b46e076684e37889fd5325c68186880df84a0ebe773b4742069b228479ededd5c437c3bb85e4eff8a764e133542728a57d256b744c59252a3a010adee729

  • SSDEEP

    24576:+qDEvCTbMWu7rQYlBQcBiT6rprG8aoTyjNklxotA4l:+TvC/MTQYxsWR7aoTyylxB4

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\directory\name.exe
      "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3292
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
        3⤵
          PID:4004
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 404
            4⤵
            • Program crash
            PID:3300
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4004 -ip 4004
      1⤵
        PID:1376

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\teres
        Filesize

        29KB

        MD5

        696e9fb2ba60e69e373734d9b75f1e93

        SHA1

        06f0d8a67fe87b9ad409f0af9e3958e7a6ddccf3

        SHA256

        622b05f1d25ea61346312f9a1d6bd9d7ccb97bdaac39f0c225aa990f7a5d74f6

        SHA512

        a75dff00112254b058fff70c10d3bbe2ec0b2989571d1d24c2c561016a2dfaba74afe1f3d55bea9b886ed4943928ee530840cf34684591521c3d341b83b0e1f3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\uncolorable
        Filesize

        316KB

        MD5

        d6b9f069209d229d5f82148c138b125c

        SHA1

        32b9b5f0fd067d00f8a2776f4f0a1abf77032965

        SHA256

        a014038b24e85f096449543b0607dc972582ccf002fc915dc8556f8e1749c0e0

        SHA512

        2e65c14eead59f4923f86955e069d90d35f8db9e9bc3610ab7e105825072bac36577e5203dd66b690453d4469ec21048110e2e3441218191cca1ad6318bf2011

        Download Submit

      • C:\Users\Admin\AppData\Local\directory\name.exe
        Filesize

        5.2MB

        MD5

        703b3ec799186c430c9bb34e27e2c9ac

        SHA1

        62ae830088f2c81bb2c3a4026e0d0691202c8af5

        SHA256

        d32458616dcc56dafcb41b26d671171c45aacd4028a5883950f08d579bee7760

        SHA512

        2927f621c100b2413273303e33bfb32a710cb1263e5346e4013a6be50f2a4980364c7d88fe006a777baaeff85b74802fbc68f0cebe8854a7a3d04ce500496975

        Download Submit

      • C:\Users\Admin\AppData\Local\directory\name.exe
        Filesize

        6.5MB

        MD5

        ea944418036541a8842716d9af0ec010

        SHA1

        78cca70f5d078306e4ba55165e4e1737b768386f

        SHA256

        5be27dc17908ed0725bc22673ec63c88291e1f9fdd225fcf98f70ee7c3d5f1af

        SHA512

        329d6e5de43763a8321c09e4e7109dd3bdb8a0568fa5bdb59480896e3969cbfb44ac606a284cb0c01f08675b21524097776c3f0ea9e388aa9b6b6a66b400f573

        Download Submit

      • memory/1608-10-0x0000000002320000-0x0000000002324000-memory.dmp

        Filesize

        16KB

        Download

      • memory/4004-28-0x0000000000380000-0x00000000003D3000-memory.dmp

        Filesize

        332KB

        Download

      • memory/4004-33-0x0000000000380000-0x00000000003D3000-memory.dmp

        Filesize

        332KB

        Download

      • memory/4004-37-0x0000000000380000-0x00000000003D3000-memory.dmp

        Filesize

        332KB

        Download