Overview

overview

10

Static

static

3

143255a5ba...b2.exe

windows7-x64

10

143255a5ba...b2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-03-2024 02:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    143255a5ba28e866c50698c6ba81c7aa37cc517dd3499754136be7cea093afb2.exe

  • Size

    668KB

  • MD5

    a4e1da4de6991f0e7e6de4ab3497563c

  • SHA1

    55fa99225cb02841d4b8bd4d207831f8631fe855

  • SHA256

    143255a5ba28e866c50698c6ba81c7aa37cc517dd3499754136be7cea093afb2

  • SHA512

    6c7dbda6d53963f5f20a150cc56f537d86a397f63e214c98ce78f110481cecdd2c36219a9ea9af17376d5ab0e1f6b86dfc4fdadcfa10529960de01660344d59c

  • SSDEEP

    12288:Gf2Ov+kR/c07tYZLyOJ1nlffll8QNOBf7sjqDz6/wM5pu+BfjhKfAie:wFRU0BYZOEvlHkojSz63tKbe

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
  • Detects executables packed with or use KoiVM 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\143255a5ba28e866c50698c6ba81c7aa37cc517dd3499754136be7cea093afb2.exe
    "C:\Users\Admin\AppData\Local\Temp\143255a5ba28e866c50698c6ba81c7aa37cc517dd3499754136be7cea093afb2.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1148
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 620 -s 740
      2⤵
        PID:2688

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/620-0-0x0000000000DB0000-0x0000000000DC8000-memory.dmp
      Filesize

      96KB

      Download
    • memory/620-1-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/620-2-0x000000001B370000-0x000000001B3F0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/620-3-0x0000000000D00000-0x0000000000D98000-memory.dmp
      Filesize

      608KB

      Download
    • memory/620-21-0x000000001B370000-0x000000001B3F0000-memory.dmp
      Filesize

      512KB

      Download
    • memory/620-20-0x000007FEF5DF0000-0x000007FEF67DC000-memory.dmp
      Filesize

      9.9MB

      Download
    • memory/1148-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1148-10-0x0000000000400000-0x0000000000444000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1148-8-0x0000000000400000-0x0000000000444000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1148-13-0x0000000000400000-0x0000000000444000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1148-15-0x0000000000400000-0x0000000000444000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1148-17-0x0000000000400000-0x0000000000444000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1148-18-0x0000000074C30000-0x000000007531E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1148-19-0x00000000008E0000-0x0000000000920000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1148-6-0x0000000000400000-0x0000000000444000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1148-4-0x0000000000400000-0x0000000000444000-memory.dmp
      Filesize

      272KB

      Download
    • memory/1148-22-0x0000000074C30000-0x000000007531E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/1148-23-0x00000000008E0000-0x0000000000920000-memory.dmp
      Filesize

      256KB

      Download