Overview

overview

10

Static

static

1

c0a399a983...fa.exe

windows7-x64

10

c0a399a983...fa.exe

windows10-2004-x64

10

Forvrider/...al.ps1

windows7-x64

8

Forvrider/...al.ps1

windows10-2004-x64

8

Analysis

  • max time kernel
    153s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/04/2024, 01:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    c0a399a9834cb234deda780178eaed04b01a18786200ae227241d520d1151ffa.exe

  • Size

    647KB

  • MD5

    461f74a275f94ceac0e28d9bcad78c55

  • SHA1

    ce1a10258dd458b19023a31dfd9387a4c9559b51

  • SHA256

    c0a399a9834cb234deda780178eaed04b01a18786200ae227241d520d1151ffa

  • SHA512

    1491dd84234b50b26eb09c719ebfabf3cb330a847be0a538d3fd2f8144e06b393b744b2b2a6fbfb68be373a815fc97e3ae5320e8997bd30ff7a8074ee861e7d5

  • SSDEEP

    12288:YXRAvufNFTr7LK1jIGvKDdGSWWswNCgXu/H+nR9lWqwDwmuu6TNxFu+Y:YXRyUNJr7LpGvKDMV32sH+sPqu6hxFut

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0a399a9834cb234deda780178eaed04b01a18786200ae227241d520d1151ffa.exe
    "C:\Users\Admin\AppData\Local\Temp\c0a399a9834cb234deda780178eaed04b01a18786200ae227241d520d1151ffa.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:440
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Superfluid=Get-Content 'C:\Users\Admin\AppData\Local\Ubarberet\Forvrider\Laserstraaler\curwillet\Innatural.For';$Smidgin220=$Superfluid.SubString(59476,3);.$Smidgin220($Superfluid)"
      2⤵
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4460
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "set /A 1^^0"
        3⤵
          PID:5028
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2704
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3868 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:228

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqgugide.tof.ps1
              Filesize

              60B

              MD5

              d17fe0a3f47be24a6453e9ef58c94641

              SHA1

              6ab83620379fc69f80c0242105ddffd7d98d5d9d

              SHA256

              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

              SHA512

              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

              Download Submit

            • C:\Users\Admin\AppData\Local\Ubarberet\Forvrider\Laserstraaler\curwillet\Antiklumpningsmidler241.Pre
              Filesize

              336KB

              MD5

              421f85ff395d33ef96eb9a041fd8efdd

              SHA1

              043669ee72876a841f7c4bd3bb5374a461f0a0a5

              SHA256

              aa2b0e8296dbfcb28c579c9c3ef13971d2339e4e1dbe2b10d4b68cd372801353

              SHA512

              3cb668aca2444250cdae58c300d4348f5917a5333fc464eeefd73e344ccff57a4e69ac0c405d6d1b01fc8e6f3c2a5d1fe0343ef6a7926505d0a4559f9971443d

              Download Submit

            • C:\Users\Admin\AppData\Local\Ubarberet\Forvrider\Laserstraaler\curwillet\Innatural.For
              Filesize

              58KB

              MD5

              5358906fc6c6a2964b35ad7b35bbdc18

              SHA1

              0359b2ef0bd2ef026044c36bf7a991406f0979f3

              SHA256

              5661d74c0e0b18aa9098680f226fa04ed698b7657add95ad90369cc94a59d3f7

              SHA512

              25cbda18e3d442714a765ab3de5041366c3bc1017a21536579cfcd37cd78774a9cdefe1409c0710e54dd6d07b591d9434627d04b9f0e49fdcb513dafac752ea5

              Download Submit

            • memory/2704-67-0x00000000240F0000-0x00000000240FA000-memory.dmp

              Filesize

              40KB

              Download

            • memory/2704-66-0x0000000024180000-0x0000000024212000-memory.dmp

              Filesize

              584KB

              Download

            • memory/2704-65-0x0000000024090000-0x00000000240E0000-memory.dmp

              Filesize

              320KB

              Download

            • memory/2704-64-0x0000000023E80000-0x0000000023E90000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2704-61-0x0000000000A80000-0x0000000000AC0000-memory.dmp

              Filesize

              256KB

              Download

            • memory/2704-62-0x0000000073E10000-0x00000000745C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/2704-60-0x0000000000A80000-0x0000000001CD4000-memory.dmp

              Filesize

              18.3MB

              Download

            • memory/2704-47-0x0000000077861000-0x0000000077981000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/2704-46-0x00000000778E8000-0x00000000778E9000-memory.dmp

              Filesize

              4KB

              Download

            • memory/4460-33-0x0000000006650000-0x0000000006672000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4460-42-0x0000000004C30000-0x0000000004C40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4460-29-0x0000000004C30000-0x0000000004C40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4460-30-0x0000000004C30000-0x0000000004C40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4460-31-0x00000000065B0000-0x0000000006646000-memory.dmp

              Filesize

              600KB

              Download

            • memory/4460-32-0x0000000006550000-0x000000000656A000-memory.dmp

              Filesize

              104KB

              Download

            • memory/4460-7-0x0000000073E10000-0x00000000745C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4460-34-0x0000000007650000-0x0000000007BF4000-memory.dmp

              Filesize

              5.6MB

              Download

            • memory/4460-27-0x0000000073E10000-0x00000000745C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4460-36-0x0000000008280000-0x00000000088FA000-memory.dmp

              Filesize

              6.5MB

              Download

            • memory/4460-38-0x0000000004C30000-0x0000000004C40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4460-26-0x0000000006110000-0x000000000615C000-memory.dmp

              Filesize

              304KB

              Download

            • memory/4460-40-0x0000000007600000-0x0000000007604000-memory.dmp

              Filesize

              16KB

              Download

            • memory/4460-28-0x0000000004C30000-0x0000000004C40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4460-43-0x0000000004C30000-0x0000000004C40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4460-44-0x0000000008900000-0x000000000CED6000-memory.dmp

              Filesize

              69.8MB

              Download

            • memory/4460-45-0x0000000077861000-0x0000000077981000-memory.dmp

              Filesize

              1.1MB

              Download

            • memory/4460-25-0x0000000006030000-0x000000000604E000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4460-20-0x0000000005A50000-0x0000000005DA4000-memory.dmp

              Filesize

              3.3MB

              Download

            • memory/4460-14-0x00000000059A0000-0x0000000005A06000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4460-13-0x00000000051E0000-0x0000000005246000-memory.dmp

              Filesize

              408KB

              Download

            • memory/4460-63-0x0000000073E10000-0x00000000745C0000-memory.dmp

              Filesize

              7.7MB

              Download

            • memory/4460-12-0x0000000005040000-0x0000000005062000-memory.dmp

              Filesize

              136KB

              Download

            • memory/4460-11-0x0000000005270000-0x0000000005898000-memory.dmp

              Filesize

              6.2MB

              Download

            • memory/4460-10-0x0000000004C30000-0x0000000004C40000-memory.dmp

              Filesize

              64KB

              Download

            • memory/4460-9-0x0000000002A50000-0x0000000002A86000-memory.dmp

              Filesize

              216KB

              Download

            • memory/4460-8-0x0000000004C30000-0x0000000004C40000-memory.dmp

              Filesize

              64KB

              Download