Overview

overview

10

Static

static

3

938a507f17...b2.exe

windows7-x64

10

938a507f17...b2.exe

windows10-2004-x64

10

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    938a507f1786d7badcc95dca38a1d9bdb78984b051a68a7fd70a1b872b36a2b2.exe

  • Size

    1.3MB

  • MD5

    7741e296fc7876e2cf35e44ba4264f47

  • SHA1

    265bb706ee04a4d3b6f23c87873bc7d5202c0de9

  • SHA256

    938a507f1786d7badcc95dca38a1d9bdb78984b051a68a7fd70a1b872b36a2b2

  • SHA512

    1caa387ded8ec1431cceba2def2abfdf53883fdb2c300d8a64de726f35e0a28f0036c29f0f2d894fcdcff6f6bcb6f827124ca6ca7419fa24d212d84ec5d21ffc

  • SSDEEP

    24576:99Q0lIVTRJRqhx+pF/GMvtfc+DBy/U77VaaG8uosbrDqa1VHWTcSdmWDxbLn/ohK:LQ0lsRzeMp8MtftD4M77YoOrDX1l2xb3

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 2 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 2 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 2 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 2 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 2 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\938a507f1786d7badcc95dca38a1d9bdb78984b051a68a7fd70a1b872b36a2b2.exe
    "C:\Users\Admin\AppData\Local\Temp\938a507f1786d7badcc95dca38a1d9bdb78984b051a68a7fd70a1b872b36a2b2.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Suspicious use of SetThreadContext
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:384
    • C:\Users\Admin\AppData\Local\Temp\938a507f1786d7badcc95dca38a1d9bdb78984b051a68a7fd70a1b872b36a2b2.exe
      "C:\Users\Admin\AppData\Local\Temp\938a507f1786d7badcc95dca38a1d9bdb78984b051a68a7fd70a1b872b36a2b2.exe"
      2⤵
      • Suspicious use of NtCreateThreadExHideFromDebugger
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nstA11.tmp\System.dll
    Filesize

    11KB

    MD5

    b8992e497d57001ddf100f9c397fcef5

    SHA1

    e26ddf101a2ec5027975d2909306457c6f61cfbd

    SHA256

    98bcd1dd88642f4dd36a300c76ebb1ddfbbbc5bfc7e3b6d7435dc6d6e030c13b

    SHA512

    8823b1904dccfaf031068102cb1def7958a057f49ff369f0e061f1b4db2090021aa620bb8442a2a6ac9355bb74ee54371dc2599c20dc723755a46ede81533a3c

    Download Submit
  • memory/384-33-0x0000000077701000-0x0000000077802000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/384-34-0x0000000077700000-0x00000000778A9000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2568-35-0x0000000077700000-0x00000000778A9000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2568-36-0x0000000000480000-0x00000000014E2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2568-58-0x0000000000480000-0x00000000014E2000-memory.dmp
    Filesize

    16.4MB

    Download
  • memory/2568-59-0x0000000000480000-0x00000000004C2000-memory.dmp
    Filesize

    264KB

    Download