Overview

overview

10

Static

static

1

4a1e405083...0.xlam

windows7-x64

10

4a1e405083...0.xlam

windows10-2004-x64

1

Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    07/06/2024, 01:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlam

  • Size

    675KB

  • MD5

    71e83cfe190375b478e42933ac4e1997

  • SHA1

    bd4ce42a4599837b7a819e41ab740881f2f9bbd1

  • SHA256

    4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0

  • SHA512

    a7a1fb14380353be5200ab7360a7338b8fe93f93f614faa03cfc296a9f87a7c8188cd09ecc06ef30192ffcbd8d4da25b95dae77d70a12755769e232dd6d82bb3

  • SSDEEP

    12288:DQnWa/bT29nrmgHgFSPn643Cyne30ZPN9P2X9CcDhZ28mGEWOVPJ9u0aJ2BrupA+:sMAs6A1e3of2XM01mtVxEpQBrdGDYw

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Detect packed .NET executables. Mostly AgentTeslaV4. 33 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 33 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 33 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 33 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 33 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 33 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Launches Equation Editor 1 TTPs 1 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\4a1e40508379562e5cfe14681fc7f17d647b158f00a1cdef8eb3f6d2e0f423a0.xlam
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3044
  • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
    "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
    1⤵
    • Blocklisted process makes network request
    • Loads dropped DLL
    • Launches Equation Editor
    • Suspicious use of WriteProcessMemory
    PID:2584
    • C:\Users\Admin\AppData\Roaming\KID.exe
      "C:\Users\Admin\AppData\Roaming\KID.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2840
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Roaming\KID.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    72852c7998b7bd3cce965fe92c7b678f

    SHA1

    84bf7e46bfa562e7c940d659a8a4e8e7a8d946eb

    SHA256

    3df153e0ab34b0eb1567ca4a6213c6a3799c4c83ac02d5a2d12837feba84e4f6

    SHA512

    4ebd576b7a57d9d58d741fbb3356bd05acedb25556dcfada2a5e964cb51b0b462c6b175c98ec52194191911941ea2e6910727a9b45dc720cde814553eb09fb2f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab1F84.tmp
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar2037.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nonsubmerged
    Filesize

    262KB

    MD5

    7658871481cc047a9339fabea060c0f1

    SHA1

    993b78228239b222a6245b30e9c85b8f9b374706

    SHA256

    4d30d09098070fd1abb2634800954cb086e78c5c241043268128512069907039

    SHA512

    c213a5160422716315a077e8979dd447ecab028142986093872bcec7547a1050700bf3418237604778b62617b87d49f1f8267b9915ce5388eb0380aea5001b74

    Download Submit

  • \Users\Admin\AppData\Roaming\KID.exe
    Filesize

    1.1MB

    MD5

    9e42c4140a5252b2ea2a32fe7d3eeb9d

    SHA1

    11f732f8ef065611f4007212f1de2713f42679d3

    SHA256

    0bf33cf8fff7fe087a86e590f03f16409f000519c71db0b50e955ef4112e338a

    SHA512

    12d72040108a85bfb8cd2d9d2ca0569b5bd937b29c59b2fccaf6f3b0436b55b86e6012af2a076df447393b67f826dd876e2f0010a89fa257dc8cc04ce56b916c

    Download Submit

  • memory/756-110-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-167-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-107-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/756-106-0x0000000000400000-0x0000000000446000-memory.dmp

    Filesize

    280KB

    Download

  • memory/756-108-0x0000000000A60000-0x0000000000AB4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/756-109-0x0000000002060000-0x00000000020B2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/756-115-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-129-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-127-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-125-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-123-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-121-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-119-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-117-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-113-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-111-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-131-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-151-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-169-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-133-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-165-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-163-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-161-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-159-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-157-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-155-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-153-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-149-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-147-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-145-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-143-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-141-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-139-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-137-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/756-135-0x0000000002060000-0x00000000020AD000-memory.dmp

    Filesize

    308KB

    Download

  • memory/3044-1-0x000000007245D000-0x0000000072468000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3044-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3044-1140-0x000000007245D000-0x0000000072468000-memory.dmp

    Filesize

    44KB

    Download

  • memory/3044-1143-0x000000007245D000-0x0000000072468000-memory.dmp

    Filesize

    44KB

    Download