Overview

overview

10

Static

static

3

aa587ebbf0...2a.exe

windows7-x64

10

aa587ebbf0...2a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    133s
  • max time network
    113s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2024, 22:43

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    aa587ebbf050bd4a1631fd2a3346232a.exe

  • Size

    694KB

  • MD5

    aa587ebbf050bd4a1631fd2a3346232a

  • SHA1

    f898720c9f7ebf199d8400ff4f0a78cdd2f5fc43

  • SHA256

    7336a855a84f2f2d0f49c00a9ccdd993135369b15fa93fc429c31bdcdb002cf6

  • SHA512

    2a2ae165605514b06169215104cea55659dc8ea6fb42a05bfd0bc050704ced3f275bf3b6bf4cce67af140d6fcf598cd007285d12d3e995b57b170a92c65b4a86

  • SSDEEP

    12288:UA+G/T5voQGYWYmjd+Z4dC++FHxaIXGClNLi/e1MGDauKzm0PnqgquWVO:tx7WFYpyd+ZYCvFRauldMZdPnS1VO

Score
10/10
agentteslacollectionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    mail.priserveinfra.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    oppipl121019

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 2 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa587ebbf050bd4a1631fd2a3346232a.exe
    "C:\Users\Admin\AppData\Local\Temp\aa587ebbf050bd4a1631fd2a3346232a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2500
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Drops file in Drivers directory
      • Accesses Microsoft Outlook profiles
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:3272

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2500-10-0x0000000007B60000-0x0000000007C08000-memory.dmp

          Filesize

          672KB

          Download

        • memory/2500-11-0x0000000007930000-0x0000000007976000-memory.dmp

          Filesize

          280KB

          Download

        • memory/2500-2-0x0000000005470000-0x0000000005A14000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2500-3-0x0000000004F60000-0x0000000004FF2000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2500-4-0x0000000005000000-0x000000000509C000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2500-5-0x00000000051C0000-0x00000000051D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2500-6-0x0000000004F10000-0x0000000004F1A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/2500-7-0x0000000006120000-0x0000000006138000-memory.dmp

          Filesize

          96KB

          Download

        • memory/2500-8-0x0000000074D50000-0x0000000075500000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2500-16-0x0000000074D50000-0x0000000075500000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2500-1-0x0000000074D50000-0x0000000075500000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/2500-0-0x0000000000460000-0x0000000000514000-memory.dmp

          Filesize

          720KB

          Download

        • memory/2500-9-0x00000000051C0000-0x00000000051D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3272-14-0x0000000074D50000-0x0000000075500000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3272-15-0x00000000054C0000-0x00000000054D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3272-12-0x0000000000400000-0x000000000043C000-memory.dmp

          Filesize

          240KB

          Download

        • memory/3272-17-0x00000000056F0000-0x0000000005708000-memory.dmp

          Filesize

          96KB

          Download

        • memory/3272-18-0x0000000006470000-0x00000000064D6000-memory.dmp

          Filesize

          408KB

          Download

        • memory/3272-20-0x0000000074D50000-0x0000000075500000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3272-21-0x00000000054C0000-0x00000000054D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3272-23-0x0000000006940000-0x0000000006990000-memory.dmp

          Filesize

          320KB

          Download

        • memory/3272-24-0x00000000054C0000-0x00000000054D0000-memory.dmp

          Filesize

          64KB

          Download