Overview

overview

10

Static

static

1

MAR-2024 SOA.exe

windows7-x64

10

MAR-2024 SOA.exe

windows10-2004-x64

10

New Point ...HL.exe

windows7-x64

10

New Point ...HL.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01/05/2024, 01:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New Point of Contact for Corporate Courier Account - DHL.exe

  • Size

    678KB

  • MD5

    aac586d30baf022e1b8b6c7a7cc8d13d

  • SHA1

    96e85cab4b0be50852790643d13c443f3a13c932

  • SHA256

    1a0486e88ae41122c2292575652fdd92555f59250cea7e529ec37843a02b09a0

  • SHA512

    23b3cd602369e26b25a8ce16a0cc13184fbc1e736934b6795ade1e1bddbcbd7777ddf5227b8531ccdb8bb3a60632b703d7d92b9160df61d9cc0e217a094b4e9c

  • SSDEEP

    12288:JIueWFm+XvX9ynLJQnI4HNEhCNrH77P2Vdn1Xej8a8iSLHDYOaQ9thwkR:hRFm+Xv9ynLenI4GhKb7P21U8aBSbU29

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New Point of Contact for Corporate Courier Account - DHL.exe
    "C:\Users\Admin\AppData\Local\Temp\New Point of Contact for Corporate Courier Account - DHL.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2340
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New Point of Contact for Corporate Courier Account - DHL.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2980
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WqlrEkFujyAA.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WqlrEkFujyAA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp44EC.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2652
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp44EC.tmp
    Filesize

    1KB

    MD5

    7b8dcba167cfcd737e8f76300af94e60

    SHA1

    c71a4950109a003139924182e36de350ef16c4f4

    SHA256

    795bffa57a016c13bb1366f35ce047e55135920310e41d203fa46438925f8f8b

    SHA512

    8b121aeffab1ba9d5cfc90b44bb2b6da5f928b9bc2d81f71b75be2cfbdc4d271761c8847d5b8bbd9a2b4ca1d5d6a3acb73baa71321e48b19d03bc30eb6487205

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    a1538572071c5345362a5dd1295d8cd4

    SHA1

    15fc600c969842d75ce73522f42ae333c391542f

    SHA256

    1283873cace16b330f53d985cd1c4270a176c59bd24b705b8d3fcdb07935209f

    SHA512

    21cc9ff887757ecfba8cd5e77e5f3634fee7085a06b86752bc16aba3514731fa326031e59a4925de6062f51c0f17fd51ff3ac084f542247d3566b73db5b09690

    Download Submit

  • memory/2340-4-0x0000000000460000-0x000000000046E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2340-31-0x0000000074800000-0x0000000074EEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2340-0-0x0000000001140000-0x00000000011EC000-memory.dmp

    Filesize

    688KB

    Download

  • memory/2340-5-0x0000000000470000-0x0000000000486000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2340-6-0x0000000005CB0000-0x0000000005D32000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2340-2-0x0000000000ED0000-0x0000000000F10000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2340-1-0x0000000074800000-0x0000000074EEE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2340-3-0x0000000000440000-0x0000000000458000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2712-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2712-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2712-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2712-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2712-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2712-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2712-21-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2712-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download