Overview

overview

10

Static

static

3

FiveFinder.exe

windows7-x64

10

FiveFinder.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    21s
  • max time network
    23s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-04-2024 19:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FiveFinder.exe

  • Size

    1.4MB

  • MD5

    1e941bebf9fe16bce5c1967b5afffba8

  • SHA1

    b4a4cdff52f85f12cd3b4e1f251d46f424302f29

  • SHA256

    9360b84645809c8bb4387bf69a84ab8af0c3e01bd8072c60c1b5d728820b3cf9

  • SHA512

    64577f9c6b5fb0613f56365ff98a2e3d632a70981ff801cf2632d81fa17c44b1cc7419931c21d2c0f0107dd21846c25fe450787dad23b92a48c3ecb568401435

  • SSDEEP

    24576:HSc5TMSc5TeITMvRFhRRbNWoCfkYSEH3OqtwIuXckqjVnlqud+/2P+AkwEJ:HSZS5ITYbNbNWo4kSH3OqtwIrkqXfd+r

Score
10/10
agentteslakeyloggerpyinstallerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 9 IoCs
  • Detects Pyinstaller 1 IoCs
    pyinstaller
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FiveFinder.exe
    "C:\Users\Admin\AppData\Local\Temp\FiveFinder.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3000
    • C:\Users\FF.exe
      "C:\Users\FF.exe" ""
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2528
      • C:\Users\FF.exe
        "C:\Users\FF.exe" ""
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:1288

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-file-l1-2-0.dll
    Filesize

    19KB

    MD5

    f0c73f7454a5ce6fb8e3d795fdb0235d

    SHA1

    acdd6c5a359421d268b28ddf19d3bcb71f36c010

    SHA256

    2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

    SHA512

    bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-file-l2-1-0.dll
    Filesize

    19KB

    MD5

    7d4d4593b478b4357446c106b64e61f8

    SHA1

    8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

    SHA256

    0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

    SHA512

    7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-localization-l1-2-0.dll
    Filesize

    21KB

    MD5

    1d75e7b9f68c23a195d408cf02248119

    SHA1

    62179fc9a949d238bb221d7c2f71ba7c1680184c

    SHA256

    67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

    SHA512

    c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-processthreads-l1-1-1.dll
    Filesize

    19KB

    MD5

    d6ad0f2652460f428c0e8fc40b6f6115

    SHA1

    1a5152871abc5cf3d4868a218de665105563775e

    SHA256

    4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a

    SHA512

    ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI25282\api-ms-win-core-timezone-l1-1-0.dll
    Filesize

    19KB

    MD5

    eab486e4719b916cad05d64cd4e72e43

    SHA1

    876c256fb2aeb0b25a63c9ee87d79b7a3c157ead

    SHA256

    05fe96faa8429992520451f4317fbceba1b17716fa2caf44ddc92ede88ce509d

    SHA512

    c50c3e656cc28a2f4f6377ba24d126bdc248a3125dca490994f8cace0a4903e23346ae937bb5b0a333f7d39ece42665ae44fde2fd5600873489f3982151a0f5d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI25282\python310.dll
    Filesize

    4.3MB

    MD5

    deaf0c0cc3369363b800d2e8e756a402

    SHA1

    3085778735dd8badad4e39df688139f4eed5f954

    SHA256

    156cf2b64dd0f4d9bdb346b654a11300d6e9e15a65ef69089923dafc1c71e33d

    SHA512

    5cac1d92af7ee18425b5ee8e7cd4e941a9ddffb4bc1c12bb8aeabeed09acec1ff0309abc41a2e0c8db101fee40724f8bfb27a78898128f8746c8fe01c1631989

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\_MEI25282\ucrtbase.dll
    Filesize

    1021KB

    MD5

    4e326feeb3ebf1e3eb21eeb224345727

    SHA1

    f156a272dbc6695cc170b6091ef8cd41db7ba040

    SHA256

    3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

    SHA512

    be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

    Download Submit
  • \Users\FF.exe
    Filesize

    19.1MB

    MD5

    074045cc3b2eb80cfcadf815649d8f6b

    SHA1

    95575604c0d74090d88290555cbbdb841c8617fb

    SHA256

    bdec95ca246e01af464bfb079a8770e398c443661868e83aa6405198f75ac0a5

    SHA512

    c179e624e9fdf4fb51e49580b6a1f899f8ed24086ccff2dc089c44a913bc59bba27afc21177ac024635fde8bfa0a76820c98168d9fea6fc2310d9d60544ddee1

    Download Submit
  • memory/3000-0-0x0000000000FF0000-0x0000000001156000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/3000-4-0x0000000004BE0000-0x0000000004C20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3000-3-0x0000000005050000-0x0000000005264000-memory.dmp
    Filesize

    2.1MB

    Download
  • memory/3000-2-0x0000000004BE0000-0x0000000004C20000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3000-1-0x00000000744E0000-0x0000000074BCE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3000-212-0x00000000744E0000-0x0000000074BCE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3000-213-0x00000000744E0000-0x0000000074BCE000-memory.dmp
    Filesize

    6.9MB

    Download