Overview

overview

10

Static

static

3

kYyBuIFRcL6U7Fl.exe

windows7-x64

10

kYyBuIFRcL6U7Fl.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 10:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    kYyBuIFRcL6U7Fl.exe

  • Size

    604KB

  • MD5

    dc6c813e0b5c0adab63e8f6e47d3fb76

  • SHA1

    c9979e87cf35d8563a16bf52ad762c04c89badc9

  • SHA256

    3d6012eb13b5a891571ea2d7c7bf120b9c12d479e5cb2c6ffc7e515e14c46866

  • SHA512

    c3e83b275c6aedbf56fe581b6e5f5b7f9ec33573c460eca63590a33326c08378dd7ea04b1d80807fdfc74738d432adb9b37892a0655aff8611d2e30f4d9f9ef3

  • SSDEEP

    12288:z+E26ddIYd1x66+9GreDc4bRbOpPE6/5kqRQeB0QzauW2a5W:aOwO1mQreDc4lypPp+kQelzauWS

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe
    "C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2332
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\kYyBuIFRcL6U7Fl.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UoqhCzdpcgs.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2708
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UoqhCzdpcgs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7CDD.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:2472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp7CDD.tmp
      Filesize

      1KB

      MD5

      14d1bbe598ec1c688059b3f36a68803b

      SHA1

      e997e3f72e1b971c5c49133d709f63adbc32cf4e

      SHA256

      070ab7212b72b95a2b37e239463694cd6169c5475649a077d6e7e8c38c31ca81

      SHA512

      be37e96e703d9d3b793c4d556f694c0636e66d5ee7df78f01713d0ef488f11fc4478028897b870d27a1e17b64339a2689e66970ad8d6c33e582544b5ebd5ab69

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4FWT8535XJX4DBCDBD7V.temp
      Filesize

      7KB

      MD5

      18cdc928871f691ce0fc92152a61feb2

      SHA1

      dd3ec738147e8f909c6a77c4f1c687fc889b2fa5

      SHA256

      2c4d44b8f8ccc0baa43b1c1ef07cb4472b0dfd5864da1c009d798b2687bb4b66

      SHA512

      9c76dc53ecd95ec3c1962efbf0a72234259318d4ca7e6b87d16abca98bd07ff0a8bc8bb2e761c34049109cbc68c26df18865f2544b41b4d026aeecd0d8fb8b14

      Download Submit

    • memory/2332-0-0x0000000000D70000-0x0000000000E0E000-memory.dmp

      Filesize

      632KB

      Download

    • memory/2332-1-0x0000000074BA0000-0x000000007528E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2332-2-0x0000000004F10000-0x0000000004F50000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2332-3-0x00000000003E0000-0x00000000003F2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2332-4-0x00000000003F0000-0x00000000003FC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2332-5-0x0000000004850000-0x00000000048D2000-memory.dmp

      Filesize

      520KB

      Download

    • memory/2332-37-0x0000000074BA0000-0x000000007528E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2472-24-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2472-31-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2472-35-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2472-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2472-21-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2472-28-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2520-26-0x000000006EE80000-0x000000006F42B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2520-20-0x00000000029B0000-0x00000000029F0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2520-30-0x00000000029B0000-0x00000000029F0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2520-18-0x000000006EE80000-0x000000006F42B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2520-39-0x000000006EE80000-0x000000006F42B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2708-27-0x00000000026E0000-0x0000000002720000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2708-19-0x000000006EE80000-0x000000006F42B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2708-23-0x000000006EE80000-0x000000006F42B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2708-38-0x000000006EE80000-0x000000006F42B000-memory.dmp

      Filesize

      5.7MB

      Download