Overview

overview

10

Static

static

3

e01f1380ae...c5.exe

windows7-x64

10

e01f1380ae...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    129s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    26-03-2024 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e01f1380aeb3502ac454470540ad53c5.exe

  • Size

    1.3MB

  • MD5

    e01f1380aeb3502ac454470540ad53c5

  • SHA1

    6da056bd6c1c4b0f34f5d7ceff58398729eb9129

  • SHA256

    bbd2977d69441d934917ec16e2adf08db3a5ba8a55d2800edff5715dbcb80a23

  • SHA512

    dbc5ac80248b4cc81390bd9b07150156373925b608657c4db907658ad7190a80e629903ecb7f0949e557ac28321f84bd88421643b96d2a62fc3cfb5953cd4267

  • SSDEEP

    24576:VCvxKFksKksqv7JvZI14dCp9fLSUNBOvx5y8jP8N6ZxHaE75/dZZ:VCvxKXJvZIJfLl7YEN6Zxb

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.vivaldi.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    67968664JeBlachqwin

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe
    "C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2840
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bspspeOPHY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2AB8.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2404
    • C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe
      "C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 388
        3⤵
          PID:472

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp2AB8.tmp
      Filesize

      1KB

      MD5

      950adc31ae8361784bb8fa791653708f

      SHA1

      d485fe3f73a757bce23a55a69945aad89a91c594

      SHA256

      b6c4151d1463bb6d536065265f07591b7a0893ece83d2dea142f50a79310d308

      SHA512

      d1f1457c6969a794c5c8d921e7e431c72020751d30b2aa62d89c70557cbc5b02c18a690d6cd5be68ff3d7dcb2cd4bca2c86e552bd1fd8f773349920233c81941

      Download Submit

    • memory/472-28-0x00000000025C0000-0x00000000025C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/472-25-0x00000000025C0000-0x00000000025C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2232-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2232-18-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2232-27-0x0000000000580000-0x00000000005C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2232-10-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2232-11-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2232-12-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2232-13-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2232-26-0x0000000074730000-0x0000000074CDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2232-16-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2232-22-0x0000000000580000-0x00000000005C0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2232-20-0x0000000000400000-0x000000000043C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/2232-21-0x0000000074730000-0x0000000074CDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2232-23-0x0000000074730000-0x0000000074CDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2840-4-0x0000000000A30000-0x0000000000A70000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2840-24-0x0000000074730000-0x0000000074CDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2840-2-0x0000000000A30000-0x0000000000A70000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2840-0-0x0000000074730000-0x0000000074CDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2840-3-0x0000000074730000-0x0000000074CDB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2840-1-0x0000000074730000-0x0000000074CDB000-memory.dmp

      Filesize

      5.7MB

      Download