Overview

overview

10

Static

static

3

63b303a4e0...d1.exe

windows7-x64

8

63b303a4e0...d1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 14:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1.exe

  • Size

    844KB

  • MD5

    d56e4cf40342c261abc7f621c30908d3

  • SHA1

    09f99d47b38931ad4f964e98ef106c218e07ca12

  • SHA256

    63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1

  • SHA512

    201b0eb2546e0a3e7bb9f503c85c9ba1c24fcfd9de2a62972d3b9f45ee59c5f4d45585e319efe6baa54d664d39ddbf9d4fd51de0d6c2131d3f5b7847f48c34f2

  • SSDEEP

    24576:vw4bjw4bolDAFv956pfL3U603tg+MyKOPNs8UYJzDSBNFxa7:vw4bjw4bgAFv956L3IdRG8UYJzDS0

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    ftp.jeepcommerce.rs
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Q6]7rLSD*gU2

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.jeepcommerce.rs
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Q6]7rLSD*gU2

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1.exe
    "C:\Users\Admin\AppData\Local\Temp\63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4272
    • C:\Users\Admin\AppData\Local\Temp\63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1.exe
      "C:\Users\Admin\AppData\Local\Temp\63b303a4e01924ae9ca9fcfc7f75cf87144598342415df3cdd802440d770add1.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ck4gsgyq.sol.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/4064-11-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/4064-62-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4064-58-0x00000000067F0000-0x0000000006840000-memory.dmp

    Filesize

    320KB

    Download

  • memory/4064-28-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4064-17-0x00000000052B0000-0x0000000005316000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4064-16-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4272-48-0x0000000006DD0000-0x0000000006E73000-memory.dmp

    Filesize

    652KB

    Download

  • memory/4272-49-0x0000000007540000-0x0000000007BBA000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/4272-61-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4272-57-0x0000000007220000-0x0000000007228000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4272-56-0x0000000007240000-0x000000000725A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4272-15-0x0000000004C50000-0x0000000005278000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4272-55-0x0000000007140000-0x0000000007154000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4272-54-0x0000000007130000-0x000000000713E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/4272-18-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4272-53-0x0000000007100000-0x0000000007111000-memory.dmp

    Filesize

    68KB

    Download

  • memory/4272-13-0x00000000045D0000-0x0000000004606000-memory.dmp

    Filesize

    216KB

    Download

  • memory/4272-19-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4272-20-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4272-52-0x0000000007180000-0x0000000007216000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4272-51-0x0000000006F70000-0x0000000006F7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4272-24-0x00000000054F0000-0x0000000005556000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4272-21-0x0000000004C20000-0x0000000004C42000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4272-33-0x0000000005750000-0x0000000005AA4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4272-34-0x0000000005BD0000-0x0000000005BEE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4272-35-0x0000000005CB0000-0x0000000005CFC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4272-36-0x0000000006D90000-0x0000000006DC2000-memory.dmp

    Filesize

    200KB

    Download

  • memory/4272-37-0x0000000070890000-0x00000000708DC000-memory.dmp

    Filesize

    304KB

    Download

  • memory/4272-47-0x00000000061B0000-0x00000000061CE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/4272-50-0x0000000006F00000-0x0000000006F1A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5032-0-0x00000000748BE000-0x00000000748BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5032-8-0x0000000005C50000-0x0000000005C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5032-3-0x0000000005A30000-0x0000000005AC2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5032-5-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5032-4-0x0000000005A10000-0x0000000005A1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5032-14-0x00000000748B0000-0x0000000075060000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/5032-6-0x0000000005C70000-0x0000000005D0C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/5032-7-0x0000000006720000-0x000000000673A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/5032-10-0x00000000748BE000-0x00000000748BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5032-2-0x0000000005F40000-0x00000000064E4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5032-9-0x0000000006BF0000-0x0000000006C74000-memory.dmp

    Filesize

    528KB

    Download

  • memory/5032-1-0x0000000000F20000-0x0000000000FF6000-memory.dmp

    Filesize

    856KB

    Download