Overview

overview

10

Static

static

3

923fc964a8...3b.exe

windows7-x64

10

923fc964a8...3b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    13/02/2024, 03:20

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    923fc964a80c47d57aeafc0ddbff753ac3ba854655b0231b358e54f54512503b.exe

  • Size

    681KB

  • MD5

    65eb5063ffd21ea06563acdde5b0aec5

  • SHA1

    9109276193763e3a58b4d8fe472c5d4730b37b33

  • SHA256

    923fc964a80c47d57aeafc0ddbff753ac3ba854655b0231b358e54f54512503b

  • SHA512

    a53c5750a427297426cc23416e9dc282814a1210cfc30ec7bf818770315d819cfd32b432d1b411f05a5394afa8df323ec028e136a38ae70a44edf28d53d64cb1

  • SSDEEP

    12288:nJEzqHKMbNeCpN/PmNcfF+RZnGItAdjfRnisFIH9XonxvK4+n0cV:nSz87bv/u/lO169evKb0

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\923fc964a80c47d57aeafc0ddbff753ac3ba854655b0231b358e54f54512503b.exe
    "C:\Users\Admin\AppData\Local\Temp\923fc964a80c47d57aeafc0ddbff753ac3ba854655b0231b358e54f54512503b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2232
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\923fc964a80c47d57aeafc0ddbff753ac3ba854655b0231b358e54f54512503b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2372
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\jsHSvhKIRkhsOT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2656
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\jsHSvhKIRkhsOT.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2308
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2760

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp41D1.tmp
          Filesize

          1KB

          MD5

          a15911c96abd641ee66f25dad51b9196

          SHA1

          2fee1f9ded4daef5bb5947f6f606b011665a9e9e

          SHA256

          bc4c81da035739221882119e3ffda8327ae475a5f3e416548a795eae014358e1

          SHA512

          84943e8db5962ef326aa0fe714fb0f14f7603f73daa55960b002b9ea204649c4d385644566ceebc80870353907ca32e4ef7cbd90d9e1ef3e4b6e7b8471720e65

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\V5G9YUSCPI14VC3S9BZN.temp
          Filesize

          7KB

          MD5

          d004344eaf80525fbeb34692a4c125f6

          SHA1

          cd957d17692e3cff9160d35beadca85981dfca99

          SHA256

          636e8d0abbac21ff9b96f7e0acf6e91a84f1435d4b0d0dbee6c1c881c5d62de5

          SHA512

          cbb72e6a758ab28932090ff9cd1a9edcec50dfb1d6ecf38749df8a13d33b5d54fa753a046c7c4fbcd7ccbaa0f65da49d141f3aa1790a791cbfa2ce407856d429

          Download Submit

        • memory/2232-34-0x00000000741D0000-0x00000000748BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2232-3-0x0000000000400000-0x0000000000414000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2232-5-0x0000000000650000-0x000000000065E000-memory.dmp

          Filesize

          56KB

          Download

        • memory/2232-4-0x0000000000430000-0x000000000043A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2232-6-0x00000000049D0000-0x0000000004A58000-memory.dmp

          Filesize

          544KB

          Download

        • memory/2232-2-0x0000000004870000-0x00000000048B0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2232-0-0x0000000001040000-0x00000000010F0000-memory.dmp

          Filesize

          704KB

          Download

        • memory/2232-1-0x00000000741D0000-0x00000000748BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2308-44-0x000000006ED20000-0x000000006F2CB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2308-36-0x00000000029B0000-0x00000000029F0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2308-38-0x000000006ED20000-0x000000006F2CB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2308-43-0x00000000029B0000-0x00000000029F0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2308-33-0x000000006ED20000-0x000000006F2CB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2372-35-0x000000006ED20000-0x000000006F2CB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2372-39-0x0000000001DD0000-0x0000000001E10000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2372-37-0x000000006ED20000-0x000000006F2CB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2372-41-0x0000000001DD0000-0x0000000001E10000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2372-45-0x000000006ED20000-0x000000006F2CB000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/2760-42-0x00000000042A0000-0x00000000042E0000-memory.dmp

          Filesize

          256KB

          Download

        • memory/2760-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2760-28-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-30-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-19-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-40-0x00000000741D0000-0x00000000748BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2760-32-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-24-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-23-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-21-0x0000000000400000-0x0000000000442000-memory.dmp

          Filesize

          264KB

          Download

        • memory/2760-60-0x00000000741D0000-0x00000000748BE000-memory.dmp

          Filesize

          6.9MB

          Download

        • memory/2760-61-0x00000000042A0000-0x00000000042E0000-memory.dmp

          Filesize

          256KB

          Download