Overview

overview

10

Static

static

3

216c0539cc...ca.exe

windows7-x64

10

216c0539cc...ca.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe

  • Size

    616KB

  • MD5

    0c937b5c2726ead914f467f4458fb30c

  • SHA1

    f1d0c49c593499e9190bcb796a0cd7292fbfeea6

  • SHA256

    216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca

  • SHA512

    d9403de28b2bf85cf7d0cf2390497016cf3e00255486eed84223bd97a5e41e21ebfd9218056e082bf745d4d7fdf7a712b72559358d2118eda6141222539a1231

  • SSDEEP

    12288:k9Xl+wonve99dbGPG+gibay1WTIlLuRtjI0THYWsuFFu5KmgsHL:kLRovq78GniOTTyLurk0TQNio

Score
10/10
agentteslakeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
  • Detects executables packed with or use KoiVM 1 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe
    "C:\Users\Admin\AppData\Local\Temp\216c0539ccfc639a2638c1d86d5af4accd3dd621c1372c1277432349f2977eca.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3508
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:440
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
        PID:2532

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/440-10-0x0000000005670000-0x00000000056D6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/440-18-0x0000000075310000-0x0000000075AC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/440-17-0x000000007531E000-0x000000007531F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/440-16-0x00000000082C0000-0x00000000082CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/440-15-0x0000000008B00000-0x0000000008B50000-memory.dmp

      Filesize

      320KB

      Download

    • memory/440-13-0x0000000006980000-0x0000000006A12000-memory.dmp

      Filesize

      584KB

      Download

    • memory/440-11-0x0000000075310000-0x0000000075AC0000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/440-7-0x0000000000400000-0x0000000000442000-memory.dmp

      Filesize

      264KB

      Download

    • memory/440-8-0x000000007531E000-0x000000007531F000-memory.dmp

      Filesize

      4KB

      Download

    • memory/440-9-0x0000000005AB0000-0x0000000006054000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3508-4-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3508-6-0x000001CE26EE0000-0x000001CE26F74000-memory.dmp

      Filesize

      592KB

      Download

    • memory/3508-12-0x00007FF8D81B0000-0x00007FF8D8C71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3508-5-0x000001CE0E510000-0x000001CE0E516000-memory.dmp

      Filesize

      24KB

      Download

    • memory/3508-0-0x000001CE0C9B0000-0x000001CE0C9BE000-memory.dmp

      Filesize

      56KB

      Download

    • memory/3508-3-0x000001CE0E550000-0x000001CE0E56E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/3508-2-0x000001CE0E5D0000-0x000001CE0E646000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3508-1-0x00007FF8D81B3000-0x00007FF8D81B5000-memory.dmp

      Filesize

      8KB

      Download