Overview

overview

10

Static

static

3

20240306 T...at.exe

windows7-x64

10

20240306 T...at.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    139s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    07/03/2024, 14:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20240306 The new order about PO#PW225084YL.50L of 23AW1203A285 2ND SAMPLE ENR xls.bat.exe

  • Size

    539KB

  • MD5

    8842b5b5d828d54cac49097f52d5f62a

  • SHA1

    6bbaff55a54b752eca2f57c25e97bbd123597b44

  • SHA256

    b082ab124082817c7a3633f38d75328e0bee32164543987628428cb4c3a26e09

  • SHA512

    73cc6fe86faf67d0655e4c1a3593fd07036541dd8cc7b6f8aafc482905477b9a56fe588e236d4d7eb49e6baa133c8d481ed2b4d4f160529078708890f98f02fc

  • SSDEEP

    12288:akNE2cL3rOolerH9vASyBbbX/MQfe1kfE3xWN:LE2cL7Ool09vUBXX/MQGG+kN

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\20240306 The new order about PO#PW225084YL.50L of 23AW1203A285 2ND SAMPLE ENR xls.bat.exe
    "C:\Users\Admin\AppData\Local\Temp\20240306 The new order about PO#PW225084YL.50L of 23AW1203A285 2ND SAMPLE ENR xls.bat.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2176
    • C:\Users\Admin\AppData\Local\Temp\20240306 The new order about PO#PW225084YL.50L of 23AW1203A285 2ND SAMPLE ENR xls.bat.exe
      "C:\Users\Admin\AppData\Local\Temp\20240306 The new order about PO#PW225084YL.50L of 23AW1203A285 2ND SAMPLE ENR xls.bat.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsj8FE2.tmp\System.dll
    Filesize

    11KB

    MD5

    9625d5b1754bc4ff29281d415d27a0fd

    SHA1

    80e85afc5cccd4c0a3775edbb90595a1a59f5ce0

    SHA256

    c2f405d7402f815d0c3fadd9a50f0bbbb1bab9aa38fe347823478a2587299448

    SHA512

    dce52b640897c2e8dbfd0a1472d5377fa91fb9cf1aeff62604d014bccbe5b56af1378f173132abeb0edd18c225b9f8f5e3d3e72434aed946661e036c779f165b

    Download Submit

  • memory/2176-19-0x0000000076D40000-0x0000000076EE9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2176-20-0x0000000076F30000-0x0000000077006000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2176-21-0x0000000010000000-0x0000000010006000-memory.dmp

    Filesize

    24KB

    Download

  • memory/2488-22-0x0000000076D40000-0x0000000076EE9000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2488-23-0x0000000076F66000-0x0000000076F67000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2488-24-0x00000000004C0000-0x0000000001522000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2488-46-0x00000000004C0000-0x0000000001522000-memory.dmp

    Filesize

    16.4MB

    Download

  • memory/2488-47-0x0000000076F30000-0x0000000077006000-memory.dmp

    Filesize

    856KB

    Download

  • memory/2488-48-0x00000000004C0000-0x0000000000502000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2488-49-0x0000000071BD0000-0x00000000722BE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2488-51-0x00000000381D0000-0x0000000038210000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2488-55-0x0000000071BD0000-0x00000000722BE000-memory.dmp

    Filesize

    6.9MB

    Download