Overview

overview

10

Static

static

3

e01f1380ae...c5.exe

windows7-x64

10

e01f1380ae...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    177s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-03-2024 21:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e01f1380aeb3502ac454470540ad53c5.exe

  • Size

    1.3MB

  • MD5

    e01f1380aeb3502ac454470540ad53c5

  • SHA1

    6da056bd6c1c4b0f34f5d7ceff58398729eb9129

  • SHA256

    bbd2977d69441d934917ec16e2adf08db3a5ba8a55d2800edff5715dbcb80a23

  • SHA512

    dbc5ac80248b4cc81390bd9b07150156373925b608657c4db907658ad7190a80e629903ecb7f0949e557ac28321f84bd88421643b96d2a62fc3cfb5953cd4267

  • SSDEEP

    24576:VCvxKFksKksqv7JvZI14dCp9fLSUNBOvx5y8jP8N6ZxHaE75/dZZ:VCvxKXJvZIJfLl7YEN6Zxb

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     smtp
  • Host:
    smtp.vivaldi.net
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    67968664JeBlachqwin

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe
    "C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\bspspeOPHY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp95D2.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2812
    • C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe
      "C:\Users\Admin\AppData\Local\Temp\e01f1380aeb3502ac454470540ad53c5.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1512
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        dw20.exe -x -s 784
        3⤵
        • Drops file in Windows directory
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious use of AdjustPrivilegeToken
        PID:2036

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Discovery

Query Registry

3
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\e01f1380aeb3502ac454470540ad53c5.exe.log
    Filesize

    496B

    MD5

    cb76b18ebed3a9f05a14aed43d35fba6

    SHA1

    836a4b4e351846fca08b84149cb734cb59b8c0d6

    SHA256

    8d0edecf54cbbdf7981c8e41a3ed8621503188a87415f9af0fb8d890b138c349

    SHA512

    7631141e4a6dda29452ada666326837372cd3d045f773006f63d9eff15d9432ed00029d9108a72c1a3b858377600a2aab2c9ec03764285c8801b6019babcf21c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp95D2.tmp
    Filesize

    1KB

    MD5

    11a52aecf0370570fecf043fa46c1f59

    SHA1

    683529109c633655a6c5c8e17919a1c5fb46ac59

    SHA256

    f3ad69b15bd0bca12ceb1b0e25bffa4a24d0bc15ff501c5bc61fd711019770ee

    SHA512

    50aef46a59d9a53980602003b9b8f5ea01d86432a3bd4fed06c671f7f50839d4c383b3a60d35585bb4bedba216ff092ff05638418593cbf0c25b4c5dbb511cff

    Download Submit
  • memory/1512-14-0x0000000075390000-0x0000000075941000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1512-11-0x0000000000400000-0x000000000043C000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1512-15-0x0000000001040000-0x0000000001050000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1512-17-0x0000000075390000-0x0000000075941000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/1512-24-0x0000000075390000-0x0000000075941000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2360-3-0x0000000075390000-0x0000000075941000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2360-4-0x00000000018F0000-0x0000000001900000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2360-5-0x00000000018F0000-0x0000000001900000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2360-2-0x0000000075390000-0x0000000075941000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2360-1-0x00000000018F0000-0x0000000001900000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2360-0-0x0000000075390000-0x0000000075941000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2360-16-0x0000000075390000-0x0000000075941000-memory.dmp
    Filesize

    5.7MB

    Download