Overview

overview

10

Static

static

5

ccba2d4f64...c5.exe

windows7-x64

10

ccba2d4f64...c5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    134s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/08/2024, 02:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe

  • Size

    1.1MB

  • MD5

    eb4d07f7aa59e7b313fba17f44004262

  • SHA1

    70c2427dd9f0ad884b1157cbed0d550df9903452

  • SHA256

    ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5

  • SHA512

    4b34abc556feafacd372dc383fec0612a0e816d9d89bcf0aad7f5cc966d3004862f3cc0cbc80d1fd8aadfa2ddbaa5543c2099d5bcfe2ecf0e6415967abc87680

  • SSDEEP

    24576:SqDEvCTbMWu7rQYlBQcBiT6rprG8a6GUjU+6SmA:STvC/MTQYxsWR7a6GUjUI

Score
10/10
agentteslacredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 19 IoCs
  • Suspicious use of SendNotifyMessage 19 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe
    "C:\Users\Admin\AppData\Local\Temp\ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3716
    • C:\Users\Admin\AppData\Local\directory\name.exe
      "C:\Users\Admin\AppData\Local\Temp\ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:796
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Users\Admin\AppData\Local\Temp\ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Prober
    Filesize

    84KB

    MD5

    d5d1e82f394d186e561d014d2a71231f

    SHA1

    0aca292245da7fb900647bbf8a3ef7eaf56428cc

    SHA256

    50f749c532e0dbb4fa0a4d9aa178e7e0995dd368d144017e1cb249e4dda08126

    SHA512

    8d86132d20baf32e974b46eff83458c0c31099ab01599376ff55c695d0d4608d318eddf0236c7b1dfa22c54db726af478a1e4f1b8cc0e28cd3cb5719cb2a64c8

    Download Submit

  • C:\Users\Admin\AppData\Local\directory\name.exe
    Filesize

    1.1MB

    MD5

    eb4d07f7aa59e7b313fba17f44004262

    SHA1

    70c2427dd9f0ad884b1157cbed0d550df9903452

    SHA256

    ccba2d4f646c750075acb6931fb502965124df5def59ab4c1979cce417c34ac5

    SHA512

    4b34abc556feafacd372dc383fec0612a0e816d9d89bcf0aad7f5cc966d3004862f3cc0cbc80d1fd8aadfa2ddbaa5543c2099d5bcfe2ecf0e6415967abc87680

    Download Submit

  • memory/3344-32-0x0000000005410000-0x00000000059B4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3344-30-0x00000000007A0000-0x00000000007E0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3344-31-0x000000007472E000-0x000000007472F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-33-0x0000000004F60000-0x0000000004FC6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3344-34-0x0000000074720000-0x0000000074ED0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3344-35-0x0000000006220000-0x0000000006270000-memory.dmp

    Filesize

    320KB

    Download

  • memory/3344-36-0x0000000006310000-0x00000000063A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3344-37-0x0000000006290000-0x000000000629A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/3344-38-0x000000007472E000-0x000000007472F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3344-39-0x0000000074720000-0x0000000074ED0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3716-11-0x00000000014F0000-0x00000000014F4000-memory.dmp

    Filesize

    16KB

    Download