Overview

overview

10

Static

static

3

VISUAL FRE...D).ttf

windows7-x64

3

VISUAL FRE...D).ttf

windows10-2004-x64

7

VISUAL FRE...D).ttf

windows7-x64

3

VISUAL FRE...D).ttf

windows10-2004-x64

7

VISUAL FRE...D).ttf

windows7-x64

3

VISUAL FRE...D).ttf

windows10-2004-x64

7

VISUAL FRE...SO.exe

windows7-x64

7

VISUAL FRE...SO.exe

windows10-2004-x64

7

VISUAL FRE...ST.exe

windows7-x64

7

VISUAL FRE...ST.exe

windows10-2004-x64

7

VISUAL FRE...ee.exe

windows7-x64

10

VISUAL FRE...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/06/2024, 21:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VISUAL FREE/VISUAL FREE/Visual Free.exe

  • Size

    1.5MB

  • MD5

    3a13abf4262c67c1b8cc4409f3c619ec

  • SHA1

    154a2c04005d0835317a3b525a3ad40dad7dc772

  • SHA256

    4c467b19727b3a922e915c27431f15a0d39a33a9e7ab411d311ed521979385dd

  • SHA512

    9edeb7584978f3c49719eeac93bf00ffefd9764261163d2031f5623839c5543537f40cc44c70c2611b715ac2ab6723b74bb4f1fb256ec33faaec8e5f88799263

  • SSDEEP

    24576:77o7X+gn2G9LJVJGnnA9FNQ3RGWZTCno8D+cM19s2XXCCLS/2ECRURusE6x:7Kr2aVJCAOGWZTkXMU2LaGRD

Score
10/10
agentteslakeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Program crash 2 IoCs
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VISUAL FREE\VISUAL FREE\Visual Free.exe
    "C:\Users\Admin\AppData\Local\Temp\VISUAL FREE\VISUAL FREE\Visual Free.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3208
    • C:\Windows\SysWOW64\cmd.exe
      "cmd.exe" /c >NUL timeout /t 2 && exit
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3444
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 2
        3⤵
        • Delays execution with timeout.exe
        PID:2436
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1464
      2⤵
      • Program crash
      PID:4040
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3208 -s 1156
      2⤵
      • Program crash
      PID:4920
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 3208 -ip 3208
    1⤵
      PID:4800
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 3208 -ip 3208
      1⤵
        PID:752
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3760,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4120 /prefetch:8
        1⤵
          PID:208

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3208-0-0x000000007467E000-0x000000007467F000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3208-1-0x0000000000F10000-0x00000000010A8000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/3208-3-0x0000000005B10000-0x0000000005C22000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/3208-4-0x00000000061D0000-0x0000000006774000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/3208-2-0x0000000074670000-0x0000000074E20000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3208-6-0x0000000006D60000-0x0000000006D6A000-memory.dmp

          Filesize

          40KB

          Download

        • memory/3208-5-0x0000000006B80000-0x0000000006C12000-memory.dmp

          Filesize

          584KB

          Download

        • memory/3208-7-0x0000000006F20000-0x0000000007134000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/3208-8-0x0000000074670000-0x0000000074E20000-memory.dmp

          Filesize

          7.7MB

          Download