Overview

overview

10

Static

static

1

514266ecbe...3.xlam

windows7-x64

10

514266ecbe...3.xlam

windows10-2004-x64

1

Analysis

  • max time kernel
    121s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 01:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    514266ecbe03893240e9d85f2d3ffdecc2ab09f1ac35cc312ee4112e02d24fe3.xlam

  • Size

    14KB

  • MD5

    b21f485299919357e9a90b9ab275d23a

  • SHA1

    f70d73fd6646a872428f9082549aebfad445d371

  • SHA256

    514266ecbe03893240e9d85f2d3ffdecc2ab09f1ac35cc312ee4112e02d24fe3

  • SHA512

    fb0e94219af45c5c8fe599b74dd139564b885a842c999bd2422d658a12d74446fface38235902493c9b7bff576226e55dd21d1b149645d868479739842b57034

  • SSDEEP

    384:P4+dXIZwO4vs7zR9IoFTbBgaWab88citqhkA6:g+lIYgIoFTbdWao8/qhkA6

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 4 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 4 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 4 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 4 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 4 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 4 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\514266ecbe03893240e9d85f2d3ffdecc2ab09f1ac35cc312ee4112e02d24fe3.xlam
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3000
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\wswgopxdji2s.exe
      "C:\Users\Admin\AppData\Local\Temp\wswgopxdji2s.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\wswgopxdji2s.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2452

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Exploitation for Client Execution

1
T1203

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\wswgopxdji2s.exe
    Filesize

    1012KB

    MD5

    66e5c9de148b496d53b2968c6a03c257

    SHA1

    2431d4c9028ef358e0b47a6997422457696cc31a

    SHA256

    4f57445ce960af0f5b9bc7386e6935226955a1221637225bc1d6533d6bd2b88c

    SHA512

    859931dd90b3d01853af09f4d914ee4c0ed2e01cbe3b20618f6144772d4d5017a60364a7c24b2b59524f529985ed35e357e463115c4d856874c94d959aa62ae5

    Download Submit
  • memory/2452-25-0x0000000000090000-0x00000000000D0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2452-24-0x0000000000090000-0x00000000000D0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2452-32-0x0000000000090000-0x00000000000D0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2452-29-0x0000000000090000-0x00000000000D0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/3000-0-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3000-1-0x0000000071FBD000-0x0000000071FC8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3000-33-0x0000000071FBD000-0x0000000071FC8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3000-36-0x0000000071FBD000-0x0000000071FC8000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3000-35-0x000000005FFF0000-0x0000000060000000-memory.dmp
    Filesize

    64KB

    Download