Overview

overview

10

Static

static

10

add0d680c4...c9.exe

windows7-x64

10

add0d680c4...c9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    104s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    add0d680c45f1c8241ca9eb8f5997d5540f00a37a7522135e0675b1332335ec9.exe

  • Size

    238KB

  • MD5

    b6a505583abf47aca04e614aab181c15

  • SHA1

    2a51b0ccc10629a167c8efd1613eabe149a03d50

  • SHA256

    add0d680c45f1c8241ca9eb8f5997d5540f00a37a7522135e0675b1332335ec9

  • SHA512

    f32b038cfaf5f8469ee889e8c39f9a99e5971c4053c8053a976ed93d4d4167081473c6d24d8d596c0e7b30050536bd88b736edd8b326657629336062c296e5f4

  • SSDEEP

    3072:yZl2e7GdwPfnnP8LkdxJGVHWeZXLDmdeEUMk5iJGeq5Wy5NmxgA:yZl2TdwPfnnPjdxJGV2eZH4U9uGee5E

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    terminal4.veeblehosting.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Ifeanyi1987@

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\add0d680c45f1c8241ca9eb8f5997d5540f00a37a7522135e0675b1332335ec9.exe
    "C:\Users\Admin\AppData\Local\Temp\add0d680c45f1c8241ca9eb8f5997d5540f00a37a7522135e0675b1332335ec9.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:516

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/516-0-0x0000000000BD0000-0x0000000000C12000-memory.dmp

    Filesize

    264KB

    Download

  • memory/516-1-0x0000000075140000-0x00000000758F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/516-2-0x0000000005B70000-0x0000000006114000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/516-3-0x00000000055B0000-0x00000000055C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/516-4-0x0000000005730000-0x0000000005796000-memory.dmp

    Filesize

    408KB

    Download

  • memory/516-5-0x0000000006B50000-0x0000000006BA0000-memory.dmp

    Filesize

    320KB

    Download

  • memory/516-6-0x0000000006C40000-0x0000000006CDC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/516-7-0x0000000006E80000-0x0000000006F12000-memory.dmp

    Filesize

    584KB

    Download

  • memory/516-8-0x0000000006E40000-0x0000000006E4A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/516-9-0x0000000075140000-0x00000000758F0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/516-10-0x00000000055B0000-0x00000000055C0000-memory.dmp

    Filesize

    64KB

    Download