Overview

overview

10

Static

static

3

TS-240328-UF3.exe

windows7-x64

10

TS-240328-UF3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    116s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2024 22:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TS-240328-UF3.exe

  • Size

    659KB

  • MD5

    dcc3c8dc9a2f58509df9700d87ad0c85

  • SHA1

    e7af3abd5d6a5914c7a75156d26210a928b3d5fd

  • SHA256

    3f60ddb8805a1fcf7eb923f364dd1c8d73dfa74dd54f7896af0a52f8c870b1f9

  • SHA512

    ced2631ead6123c9913e272ab8ead42162bd9bcc3aae458add132ab00762916b78b47eb7c29c00afbb2b8771c479d1cd21749b5ce1e316269be07365e66ce3d5

  • SSDEEP

    12288:tC0YOwquZWZ19Os7mPROmIYUrYDw4aRWIJAMwqPCyRjYtUMpA64IInzudmP:sO7MWrUbPROmYYDlaRWagyR8pVInAm

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.hamouneco.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    HamounEco@9466

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\TS-240328-UF3.exe
    "C:\Users\Admin\AppData\Local\Temp\TS-240328-UF3.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1872
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\TS-240328-UF3.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2932
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\pehGlbgBvKrXC.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1920
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pehGlbgBvKrXC" /XML "C:\Users\Admin\AppData\Local\Temp\tmp760B.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3784
    • C:\Users\Admin\AppData\Local\Temp\TS-240328-UF3.exe
      "C:\Users\Admin\AppData\Local\Temp\TS-240328-UF3.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4548

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Scheduled Task/Job

1
T1053

Privilege Escalation

Scheduled Task/Job

1
T1053

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    968cb9309758126772781b83adb8a28f

    SHA1

    8da30e71accf186b2ba11da1797cf67f8f78b47c

    SHA256

    92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

    SHA512

    4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    eaf61c2d0c4732a5eea3070c133cb204

    SHA1

    02478a54b2fb64c463125f44d12638ea07e4a354

    SHA256

    4d94e62faedbe8c8cce0b73b67bc58c434de655bbcab9a7d0002ea8db97c4c7a

    SHA512

    651c76e25b49b88258afd940d5fe4bc6cd1734c31e51d88f5b74eb564b09665134f039db92dfeb32f9573ffeb8acd656df1c2dc7b4e17590385baa272b9cc90e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmz3zwys.ouv.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp760B.tmp
    Filesize

    1KB

    MD5

    7142aa33174f72fa77a93b934cd80ff2

    SHA1

    e129e25d37e71f5d92bc1a731791de490b018dca

    SHA256

    d3ca909f7d92a3916bbc6597cf4b4f68ea1f34735959fe996c4867e320d977e6

    SHA512

    53a9021cb30836df793d637d30367b67b51610014d34bdda520fc1920a67137ccf3fbbf4043b35d889ec343618c8bf3d5c041a68d1343d5cc8ca291133b989c8

    Download Submit
  • memory/1872-4-0x0000000005910000-0x0000000005920000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1872-5-0x0000000005920000-0x000000000592A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1872-6-0x0000000005CD0000-0x0000000005CEA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1872-7-0x0000000005CF0000-0x0000000005CFC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1872-8-0x00000000075C0000-0x0000000007642000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1872-9-0x0000000009C50000-0x0000000009CEC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/1872-0-0x0000000000FB0000-0x000000000105A000-memory.dmp
    Filesize

    680KB

    Download
  • memory/1872-3-0x0000000005930000-0x00000000059C2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/1872-2-0x0000000005E00000-0x00000000063A4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/1872-48-0x00000000746D0000-0x0000000074E80000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1872-47-0x00000000746D0000-0x0000000074E80000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1872-1-0x00000000746D0000-0x0000000074E80000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1920-20-0x0000000000F30000-0x0000000000F40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1920-21-0x0000000000F30000-0x0000000000F40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1920-22-0x0000000004B90000-0x0000000004BB2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1920-57-0x000000007F200000-0x000000007F210000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1920-19-0x00000000746D0000-0x0000000074E80000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1920-24-0x0000000005410000-0x0000000005476000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1920-84-0x0000000006E70000-0x0000000006E7A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1920-82-0x0000000007440000-0x0000000007ABA000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1920-80-0x0000000000F30000-0x0000000000F40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1920-87-0x0000000007000000-0x0000000007011000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1920-79-0x0000000006CC0000-0x0000000006D63000-memory.dmp
    Filesize

    652KB

    Download
  • memory/1920-77-0x0000000000F30000-0x0000000000F40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1920-91-0x0000000007120000-0x0000000007128000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1920-98-0x00000000746D0000-0x0000000074E80000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1920-53-0x00000000060A0000-0x00000000060D2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1920-56-0x0000000070DA0000-0x0000000070DEC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2932-51-0x0000000006550000-0x000000000656E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2932-17-0x0000000005090000-0x00000000050A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2932-55-0x0000000070DA0000-0x0000000070DEC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2932-52-0x0000000006590000-0x00000000065DC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2932-76-0x0000000006B40000-0x0000000006B5E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2932-14-0x0000000004F80000-0x0000000004FB6000-memory.dmp
    Filesize

    216KB

    Download
  • memory/2932-15-0x00000000746D0000-0x0000000074E80000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2932-75-0x0000000005090000-0x00000000050A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2932-16-0x0000000005090000-0x00000000050A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2932-81-0x0000000005090000-0x00000000050A0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2932-83-0x0000000007880000-0x000000000789A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2932-45-0x0000000006080000-0x00000000063D4000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2932-30-0x0000000005F10000-0x0000000005F76000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2932-94-0x00000000746D0000-0x0000000074E80000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2932-85-0x0000000007B00000-0x0000000007B96000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2932-18-0x00000000056D0000-0x0000000005CF8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2932-88-0x0000000007AB0000-0x0000000007ABE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2932-89-0x0000000007AC0000-0x0000000007AD4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2932-90-0x0000000007BC0000-0x0000000007BDA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2932-54-0x000000007FB30000-0x000000007FB40000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4548-86-0x0000000005E90000-0x0000000005EE0000-memory.dmp
    Filesize

    320KB

    Download
  • memory/4548-44-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/4548-49-0x00000000746D0000-0x0000000074E80000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4548-50-0x00000000050C0000-0x00000000050D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4548-99-0x00000000746D0000-0x0000000074E80000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4548-100-0x00000000050C0000-0x00000000050D0000-memory.dmp
    Filesize

    64KB

    Download