Overview

overview

10

Static

static

3

DkJr5Ana0qQ1M3U.exe

windows7-x64

10

DkJr5Ana0qQ1M3U.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    22-05-2024 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DkJr5Ana0qQ1M3U.exe

  • Size

    844KB

  • MD5

    1449687555ad3c34204cbb9dc286603a

  • SHA1

    e43f55d0e375853f27c9786193d7614289c7f7b6

  • SHA256

    14ce526032b5ba32eee02d91119ed9fe15b9590b18a359d04627e1e97d7a6e86

  • SHA512

    d848e98b6031a1d092e9652fed86f4346fcad44d6c5a68bf9776a02f373047f01b72a7b7fd5004950c1f458a2607659cc3415d837e6e7650387bd3909925da76

  • SSDEEP

    12288:sWx504bFtx504bFWxmiuHPRNaQZiZ5hfPBTdPl5yyuQCUGWcfPFkwV8fFX37a:Jw4bjw4bquH5N125TAPQsXFkhn7

Score
10/10
agentteslaexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DkJr5Ana0qQ1M3U.exe
    "C:\Users\Admin\AppData\Local\Temp\DkJr5Ana0qQ1M3U.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\DkJr5Ana0qQ1M3U.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uLhLhiEXSD.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3052
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uLhLhiEXSD" /XML "C:\Users\Admin\AppData\Local\Temp\tmp517A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2548

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp517A.tmp
    Filesize

    1KB

    MD5

    18ce0b2d86ad8e1ffd04a1850fc5e3af

    SHA1

    3ac6484293d0ed0b360a1a28e76c31c37aa29b0d

    SHA256

    50e8ac3424f108b7ba64c5869f96e6f77f6cd7e1b17793c6fd17ca51996e6c66

    SHA512

    544f7b34ef7109419bd161ae8e57d7d86db2f031f49dd55a7593a088e35b6edbaa49fffad90c34ceaff7e8d1b754716f0e0c12d3f80572773411d499f3a8a9e0

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O3YE17SUCHZUWVDNAIEQ.temp
    Filesize

    7KB

    MD5

    d4c411b794fb3f038f2e6e033f91dcec

    SHA1

    07051e58844bc7d5b5206805048c533a37a0af19

    SHA256

    e1ca78ff7841ca69e34576f52f97c79b88610d7708481528eeab64d6426cb276

    SHA512

    bb4feae099e1261d0abfb8917bcc3cb1f87cfaaa0078b877e26c58430482ba47bf47abfbdc2e02ff0905079daa5dc6b0e31abe8cd0fe4dd8a7a7d58c55822bdb

    Download Submit
  • memory/2860-0-0x0000000073F3E000-0x0000000073F3F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2860-1-0x0000000000180000-0x0000000000256000-memory.dmp
    Filesize

    856KB

    Download
  • memory/2860-3-0x0000000073F30000-0x000000007461E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2860-2-0x0000000000920000-0x000000000093A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2860-4-0x0000000000940000-0x0000000000950000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2860-5-0x0000000005060000-0x00000000050E4000-memory.dmp
    Filesize

    528KB

    Download
  • memory/2860-18-0x0000000004BC0000-0x0000000004C02000-memory.dmp
    Filesize

    264KB

    Download
  • memory/2860-19-0x0000000073F3E000-0x0000000073F3F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2860-20-0x0000000073F30000-0x000000007461E000-memory.dmp
    Filesize

    6.9MB

    Download