Overview

overview

10

Static

static

3

923fc964a8...3b.exe

windows7-x64

10

923fc964a8...3b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 03:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    923fc964a80c47d57aeafc0ddbff753ac3ba854655b0231b358e54f54512503b.exe

  • Size

    681KB

  • MD5

    65eb5063ffd21ea06563acdde5b0aec5

  • SHA1

    9109276193763e3a58b4d8fe472c5d4730b37b33

  • SHA256

    923fc964a80c47d57aeafc0ddbff753ac3ba854655b0231b358e54f54512503b

  • SHA512

    a53c5750a427297426cc23416e9dc282814a1210cfc30ec7bf818770315d819cfd32b432d1b411f05a5394afa8df323ec028e136a38ae70a44edf28d53d64cb1

  • SSDEEP

    12288:nJEzqHKMbNeCpN/PmNcfF+RZnGItAdjfRnisFIH9XonxvK4+n0cV:nSz87bv/u/lO169evKb0

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\923fc964a80c47d57aeafc0ddbff753ac3ba854655b0231b358e54f54512503b.exe
    "C:\Users\Admin\AppData\Local\Temp\923fc964a80c47d57aeafc0ddbff753ac3ba854655b0231b358e54f54512503b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1752
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\923fc964a80c47d57aeafc0ddbff753ac3ba854655b0231b358e54f54512503b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2360
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jsHSvhKIRkhsOT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp41E0.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3016
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jsHSvhKIRkhsOT.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2840

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp41E0.tmp
          Filesize

          1KB

          MD5

          9636177eb5a002cc369d709f52a7d87f

          SHA1

          c07f4d216d1c12ef2231d94e9df40e4acd306ac8

          SHA256

          319d51ff91239a266ba53fc8437424b97c8c67293f21d4758c3ee9892970957b

          SHA512

          69db9f64d7a1cabd043b65317205b8adace93ce8addb0116300dbfd31d8f76bbbc8c98eb8f2e617b0b1137f21e9c5cce31f3654aa69c4f4ea79203b84acf876e

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
          Filesize

          7KB

          MD5

          1d9eb57c514e32110927f3793c17533e

          SHA1

          9fbb29e07254bbc9ed7ecfc92a0cf7da9e75d146

          SHA256

          b23e31bd5e31c61dc65da1c4eb9c9dbf6cae616ad50f7e4a523d0c5d811c2464

          SHA512

          ca0edd00e1e70b2dcc2bc7732c1cd7717aaf928722445f1975324b779483f3bac27687deb05c7892fc5fc4ddc395282ae69977e323052c3de773842569bd9aa8

          Download Submit

        • memory/1752-38-0x00000000741E0000-0x00000000748CE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1752-3-0x0000000000490000-0x00000000004A4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1752-5-0x0000000000780000-0x000000000078E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/1752-4-0x0000000000710000-0x000000000071A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/1752-6-0x0000000004500000-0x0000000004588000-memory.dmp

          Filesize

          544KB

          Download

        • memory/1752-2-0x0000000004D10000-0x0000000004D50000-memory.dmp

          Filesize

          256KB

          Download

        • memory/1752-1-0x00000000741E0000-0x00000000748CE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/1752-0-0x00000000001A0000-0x0000000000250000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2360-36-0x00000000004F0000-0x0000000000530000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2360-22-0x000000006ED30000-0x000000006F2DB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2360-45-0x000000006ED30000-0x000000006F2DB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2360-24-0x00000000004F0000-0x0000000000530000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2360-28-0x000000006ED30000-0x000000006F2DB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2360-40-0x00000000004F0000-0x0000000000530000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2760-44-0x00000000020E0000-0x0000000002120000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2760-43-0x0000000072EE0000-0x00000000735CE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2760-48-0x00000000020E0000-0x0000000002120000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2760-35-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-47-0x0000000072EE0000-0x00000000735CE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2760-39-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-31-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2760-42-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-19-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-21-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-27-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-23-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2840-34-0x0000000002960000-0x00000000029A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2840-20-0x000000006ED30000-0x000000006F2DB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2840-26-0x0000000002960000-0x00000000029A0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2840-46-0x000000006ED30000-0x000000006F2DB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2840-30-0x000000006ED30000-0x000000006F2DB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2840-32-0x0000000002960000-0x00000000029A0000-memory.dmp

          Filesize

          256KB

          Download