Overview

overview

10

Static

static

3

doc023571961500.exe

windows7-x64

8

doc023571961500.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-05-2024 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    doc023571961500.exe

  • Size

    708KB

  • MD5

    1fdc4210c29446f1358360b7df89eb3e

  • SHA1

    feabe794bd8654ceaa0d2a2588b252fed6cae378

  • SHA256

    8ef4d6591309fbe5f7998a82ea2db9db9c502293abf51fe37e37d860b2977d7c

  • SHA512

    4f30ad8c74e270d7cc88f3de29fd9a2530a378b07cd5efce7867e19e007472f89da0b6a1fcc97871f4b3e16d65513369b6c34f6e4144983afcebfe35965e337a

  • SSDEEP

    12288:QuoS1Rnqm/L+toFP3ke8cfDynok2l19jjk9CTe13c:HT1Rqm/kol3Kn619k+

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\doc023571961500.exe
    "C:\Users\Admin\AppData\Local\Temp\doc023571961500.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" -windowstyle hidden "$Induktionen=Get-Content 'C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Rykkerbrev.Rin';$Noncredibility=$Induktionen.SubString(54173,3);.$Noncredibility($Induktionen)"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4156
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" "/c set /A 1^^0"
        3⤵
          PID:1796
        • C:\Program Files (x86)\windows mail\wab.exe
          "C:\Program Files (x86)\windows mail\wab.exe"
          3⤵
          • Suspicious use of NtCreateThreadExHideFromDebugger
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3652

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t34xym4l.wps.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Besonnet198.Srb
      Filesize

      318KB

      MD5

      f7fdc5a99007f4b2f31937dd8205c668

      SHA1

      6a08dffb90f21565641c0660b444ecbffc875fb0

      SHA256

      62c4dabf9dac154bf2d18d42cc1c72944d5e69109d9367211a89580ba6760583

      SHA512

      f0cca3d85832339233259e9d8f37ccc570faca62f26fd5554c0e1415e5368c1afacbe83039124927651ff33bb260a9c604912073ff3fe258f9036091afb92980

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Rykkerbrev.Rin
      Filesize

      52KB

      MD5

      8feef5a2d2851a6927d27a3cdb9ef266

      SHA1

      951b7b70b5523c1a2252d2924b03335d92e73912

      SHA256

      df187dabada995e329a11f1d8eed38813eb43509252597db7e67706287be95a5

      SHA512

      458ee8fc14f094352d2e3c67e4ce7d452a0b6e5041898f2b852920e90c621665f22f53f09a56972db23e4b3c12e390c589292c4fd2777d5a0f36495ba1b2e578

      Download Submit
    • memory/3652-63-0x0000000023F40000-0x0000000023F4A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3652-62-0x0000000023FE0000-0x0000000024072000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3652-59-0x0000000000A00000-0x0000000000A42000-memory.dmp
      Filesize

      264KB

      Download
    • memory/3652-58-0x0000000000A00000-0x0000000001C54000-memory.dmp
      Filesize

      18.3MB

      Download
    • memory/3652-48-0x0000000077BB8000-0x0000000077BB9000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3652-47-0x0000000077B31000-0x0000000077C51000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3652-61-0x0000000023EF0000-0x0000000023F40000-memory.dmp
      Filesize

      320KB

      Download
    • memory/4156-28-0x0000000006270000-0x000000000628E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/4156-11-0x0000000002C90000-0x0000000002CC6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/4156-30-0x00000000067E0000-0x0000000006876000-memory.dmp
      Filesize

      600KB

      Download
    • memory/4156-31-0x0000000006790000-0x00000000067AA000-memory.dmp
      Filesize

      104KB

      Download
    • memory/4156-32-0x0000000007240000-0x0000000007262000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4156-33-0x0000000007820000-0x0000000007DC4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4156-12-0x00000000741B0000-0x0000000074960000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4156-23-0x0000000005C80000-0x0000000005FD4000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4156-13-0x00000000055E0000-0x0000000005C08000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/4156-38-0x00000000741B0000-0x0000000074960000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4156-39-0x00000000741B0000-0x0000000074960000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4156-29-0x00000000062B0000-0x00000000062FC000-memory.dmp
      Filesize

      304KB

      Download
    • memory/4156-41-0x00000000741B0000-0x0000000074960000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4156-42-0x0000000008AD0000-0x000000000C2B8000-memory.dmp
      Filesize

      55.9MB

      Download
    • memory/4156-44-0x00000000741BE000-0x00000000741BF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4156-45-0x00000000741B0000-0x0000000074960000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4156-46-0x00000000741B0000-0x0000000074960000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4156-37-0x00000000741B0000-0x0000000074960000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4156-17-0x0000000005C10000-0x0000000005C76000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4156-16-0x0000000005550000-0x00000000055B6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/4156-15-0x00000000741B0000-0x0000000074960000-memory.dmp
      Filesize

      7.7MB

      Download
    • memory/4156-35-0x0000000008450000-0x0000000008ACA000-memory.dmp
      Filesize

      6.5MB

      Download
    • memory/4156-14-0x00000000053B0000-0x00000000053D2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4156-10-0x00000000741BE000-0x00000000741BF000-memory.dmp
      Filesize

      4KB

      Download