Overview

overview

10

Static

static

3

fa7c1612ff...6a.exe

windows7-x64

10

fa7c1612ff...6a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 02:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe

  • Size

    660KB

  • MD5

    57ade9cbd347364926d40e16c74c39b1

  • SHA1

    ed4af64bfc4de307c62c1cba65949f759d6f5111

  • SHA256

    fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a

  • SHA512

    fd03e4793cd7e6ce20773b0a83530d1438beab5178b4023993d381017baf22f0e19a82d81eadd8c167624fd5955e97d6cc6dbce64c49d1bc96fbf6d488a59b73

  • SSDEEP

    12288:ju+4zi8LkpEaZZoy1XusX4X0G1LiI0ePZYGuTMqo1n/u6req39ee5y7Yh77Zj:yX2jEEGyWNmI0ePjuTMqoFB/9eeIYh77

Score
10/10
agentteslaexecutionkeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe
    "C:\Users\Admin\AppData\Local\Temp\fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2812
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\fa7c1612ff853767974f6362697fa5055b65e4c8c22c0ca143012d827d02ba6a.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ftXzIeBqaqam.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2492
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ftXzIeBqaqam" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE56F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2360

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Unsecured Credentials

4
T1552

Credentials In Files

3
T1552.001

Credentials in Registry

1
T1552.002

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

4
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE56F.tmp
    Filesize

    1KB

    MD5

    60d738c17055243d739d31c5b96428c5

    SHA1

    8fbb9ea31b479e7712bc38b46a0a9d7159c998ca

    SHA256

    8b3d4bebe3a2764045fe75afa4e0a5a64ec5fcd262fa18de77cf2ec5c0f07436

    SHA512

    6781d1501c40ec9f53cc888569ed1d901131f491b033543812793040564246774c96520e72b9ab95938b51c99e7b24a446bc7351db0d7a7ec49c4ccaa9b3276f

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\XW7NTHEAI3LEKWK1MM06.temp
    Filesize

    7KB

    MD5

    b42643d82f5ad3b2116d518ca61883e5

    SHA1

    9736135c4125501a48fa8716d9b9b2e1898168f0

    SHA256

    e9f1b3c29f362211cb275480c99412a4fb50740f0f424bf1d6aa7a40d94ed982

    SHA512

    abe64c662d51a544b288b4b28c5d2bdd6f819902c7f5658182f24ea7bf59177b2db2529b57a7e8d3acacf1382f26baeab2537658058264850513ced55183d38a

    Download Submit
  • memory/2812-0-0x0000000077080000-0x0000000077229000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/2812-1-0x0000000001320000-0x00000000013CA000-memory.dmp
    Filesize

    680KB

    Download
  • memory/2812-2-0x0000000000610000-0x000000000062A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2812-3-0x0000000000480000-0x0000000000490000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2812-4-0x0000000005260000-0x00000000052E4000-memory.dmp
    Filesize

    528KB

    Download
  • memory/2812-17-0x0000000005C40000-0x0000000005C82000-memory.dmp
    Filesize

    264KB

    Download