Overview

overview

10

Static

static

3

f8e6583d8b...9d.exe

windows7-x64

10

f8e6583d8b...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2024 02:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f8e6583d8b52b95801109030c4b4479ee0d085f781e0efd985d8abdf24919f9d.exe

  • Size

    980KB

  • MD5

    a3f8fc485938b85b20d0d72daf006db5

  • SHA1

    b72e5c0c9463577a2dfe815fd76b6448ee999d4a

  • SHA256

    f8e6583d8b52b95801109030c4b4479ee0d085f781e0efd985d8abdf24919f9d

  • SHA512

    3fdf772c948fa0f2bf67be37e2583ed0f692545c50a07172140472f838df7ed5dc671adc4ce64d658b29194a116f0a298ca959bf720f9a3f0a6a2b574f1cd01b

  • SSDEEP

    24576:4K17srDOgLqWs7Gn7f97jKx2J312Z4fJYOW:F0OgGZ7GnTxmYJl2EJYO

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f8e6583d8b52b95801109030c4b4479ee0d085f781e0efd985d8abdf24919f9d.exe
    "C:\Users\Admin\AppData\Local\Temp\f8e6583d8b52b95801109030c4b4479ee0d085f781e0efd985d8abdf24919f9d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\f8e6583d8b52b95801109030c4b4479ee0d085f781e0efd985d8abdf24919f9d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\RKJCwSTo.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2528
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RKJCwSTo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5F20.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2624
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2488

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp5F20.tmp
    Filesize

    1KB

    MD5

    3c936b5da8eda4a94c176f7b83668378

    SHA1

    ecce8e66f5afbc72807a979cf0826073c4615a66

    SHA256

    c997a87c7866f25a4bb7873d50c6103a1fcb9c37c03d842c73b5401b32438e38

    SHA512

    ec202cf6a102da9ff23392491ac80c3fc9805a6e660c44ffd08c5b4cbcd5a05d956ecb623aaf0e645fe887bcb019e9cabf95a003d0939372d0de455b041c3750

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    7acca88ab2e6f7649f3e6bcb0b8d2cff

    SHA1

    fbe3fd979df0829449daf0374576d3c6512a8ad4

    SHA256

    450a715c531e7b342d7dd788c57a6d7ebe90703c1223c93971797b91fc0884e1

    SHA512

    186b9be4a81065f40bd1552af058bf0372950ed58b78d728ea0506dcc82d458aa47f90b830524f42dd9699046ab8af588b75003a5097bc9871a4ddec232181f2

    Download Submit
  • memory/2488-24-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2488-21-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2488-43-0x00000000736B0000-0x0000000073D9E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2488-25-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2488-29-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2488-38-0x0000000004A80000-0x0000000004AC0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2488-33-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2488-37-0x00000000736B0000-0x0000000073D9E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2488-36-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2488-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2488-44-0x0000000004A80000-0x0000000004AC0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2488-23-0x0000000000400000-0x0000000000442000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2528-31-0x0000000002420000-0x0000000002460000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2528-20-0x0000000002420000-0x0000000002460000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2528-17-0x000000006F790000-0x000000006FD3B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2528-41-0x000000006F790000-0x000000006FD3B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2564-40-0x000000006F790000-0x000000006FD3B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2564-32-0x00000000028F0000-0x0000000002930000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2564-19-0x00000000028F0000-0x0000000002930000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2564-18-0x000000006F790000-0x000000006FD3B000-memory.dmp
    Filesize

    5.7MB

    Download
  • memory/2564-39-0x00000000028F0000-0x0000000002930000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2604-3-0x0000000000490000-0x00000000004B0000-memory.dmp
    Filesize

    128KB

    Download
  • memory/2604-35-0x0000000074900000-0x0000000074FEE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2604-1-0x0000000074900000-0x0000000074FEE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2604-2-0x0000000004DB0000-0x0000000004DF0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2604-5-0x0000000001EC0000-0x0000000001F44000-memory.dmp
    Filesize

    528KB

    Download
  • memory/2604-4-0x0000000000530000-0x0000000000544000-memory.dmp
    Filesize

    80KB

    Download
  • memory/2604-0-0x0000000000030000-0x000000000012C000-memory.dmp
    Filesize

    1008KB

    Download