Overview

overview

10

Static

static

3

Dhl Expres...df.exe

windows7-x64

10

Dhl Expres...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    24-04-2024 04:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Dhl Express Shipping Docs .pdf.exe

  • Size

    835KB

  • MD5

    e7d52516ca8bcf4e8bcaf71a36a88300

  • SHA1

    d5a7eaad95ab6d4e492b128db0cf550c34170c90

  • SHA256

    8df5ecbc8ea978c98c9c3a0918fe9ee233f169ee9e3d38855b7da8fc96aad8dc

  • SHA512

    0dc86396301012e035ed03086436411b5abdbe7c2dc84b03d5385739250bf1efa1bc6fab96471eb277b62d7a3b1ea663565809493a26750951c6316b131c0751

  • SSDEEP

    12288:+iEx72xrdlMXGnWnpLCzRdoJ6K5/w6ovt51qZ0o1LFMdDP+FIk7N:sSrdrWn4z26UNol510LFMdDP8Ik

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Dhl Express Shipping Docs .pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Dhl Express Shipping Docs .pdf.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Dhl Express Shipping Docs .pdf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\emaGqYHYeYNHas.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\emaGqYHYeYNHas" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5A60.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2560
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
        PID:2736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp5A60.tmp
      Filesize

      1KB

      MD5

      649cbcd1ca2c6c28837821fee226ecff

      SHA1

      f8518fdbb28c4919357f96c522f234a74acc0b57

      SHA256

      7c8633381afbe7003c13e0d374d005e98e3eaa0adffee25f10f24747b022804d

      SHA512

      573798dea18914ebb5e66e8165bd6c87b28b8563f5aac8c741748b83006efcf2843d4ad73200d74e411f17d87f309242bfd63ab66bff7e9df59a875873cf7e5d

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
      Filesize

      7KB

      MD5

      d8c018d4ecfb6d1ea8211d85b7723d04

      SHA1

      6033059554574510145f29c85eab7990b30dc32f

      SHA256

      325b80aaa5a03d736e5ec748586d0f8251efaf49693a89b9a1eb603ac4e57c6b

      SHA512

      c3f2b3d3a1280bece8c8824fc0876b57fbd7727ba08ad550259fdf94973a552e2a9be27fcd07a77e2f59e781693023edf39b84d8d468daba8e2c903943113f74

      Download Submit
    • memory/2236-0-0x0000000000170000-0x0000000000248000-memory.dmp
      Filesize

      864KB

      Download
    • memory/2236-1-0x0000000074D00000-0x00000000753EE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2236-2-0x00000000048C0000-0x0000000004900000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2236-3-0x0000000000540000-0x0000000000558000-memory.dmp
      Filesize

      96KB

      Download
    • memory/2236-4-0x00000000004F0000-0x00000000004FE000-memory.dmp
      Filesize

      56KB

      Download
    • memory/2236-5-0x0000000000560000-0x0000000000574000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2236-6-0x0000000004ED0000-0x0000000004F5C000-memory.dmp
      Filesize

      560KB

      Download
    • memory/2236-7-0x00000000006C0000-0x0000000000744000-memory.dmp
      Filesize

      528KB

      Download
    • memory/2236-36-0x00000000048C0000-0x0000000004900000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2236-35-0x0000000074D00000-0x00000000753EE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2576-24-0x0000000002C80000-0x0000000002CC0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2576-27-0x0000000002C80000-0x0000000002CC0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2576-22-0x000000006ED90000-0x000000006F33B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2576-30-0x000000006ED90000-0x000000006F33B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2576-34-0x000000006ED90000-0x000000006F33B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2580-33-0x000000006ED90000-0x000000006F33B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2580-26-0x000000006ED90000-0x000000006F33B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2580-31-0x00000000029A0000-0x00000000029E0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/2580-20-0x000000006ED90000-0x000000006F33B000-memory.dmp
      Filesize

      5.7MB

      Download
    • memory/2736-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2736-25-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2736-23-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2736-21-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download
    • memory/2736-28-0x0000000000400000-0x0000000000442000-memory.dmp
      Filesize

      264KB

      Download