Overview

overview

10

Static

static

3

b6d43405e5...52.exe

windows7-x64

10

b6d43405e5...52.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    105s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 06:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe

  • Size

    3.2MB

  • MD5

    06dcb15ae610d9451fb568bc536069ee

  • SHA1

    611af21b221bd004e7546d2603793de501b4f38d

  • SHA256

    b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252

  • SHA512

    9ce44cf3089f267b8db94ae4bdb3e78655fefe0aab4125cae956f0fbef4aa161e6eaca1f3ac0b755d75e10a1e31a5231c450ac8a04fc461bd1dbf45ee92c19fb

  • SSDEEP

    49152:tJkY6l5vePmrlqqZZp/wuERzibxCfAz7x:bkY6l5vePGlp99b/x

Score
10/10
agenttesladiscoveryevasionkeyloggerpersistencespywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • AgentTesla payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe
    "C:\Users\Admin\AppData\Local\Temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4356
    • \??\c:\users\admin\appdata\local\temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe 
      c:\users\admin\appdata\local\temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe 
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Looks for VMWare Tools registry key
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Maps connected drives based on registry
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious use of AdjustPrivilegeToken
      PID:4920
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4020
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3648
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1168
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4664
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\b6d43405e5d36e6e74de2ff2d22d864edb0db18f9db4e928def7155054b4e252.exe 
    Filesize

    3.1MB

    MD5

    0c33284728a138decf9bf5229bc1272a

    SHA1

    41bac3740aee663620d82503e7dda4cd3f564eb7

    SHA256

    ad013bc1676f0fb7f9dd576d5d96e4b121770756abeb70379e01d0003dca8681

    SHA512

    0c9a0647418ffdf03ca31db1fbe7152a301953d1fe9a7115f18271c4690ed72af0e2b0acf9f6ad05234e6faa7cba759d815435cb67536a1253f1959a953a6622

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    00780eb851421de5ac1e674adf2d6231

    SHA1

    e2355b76db66a06cc6aeb2209a6dfdd7fc1058f6

    SHA256

    d4cbdad4a991d006a39b6ba179aa4449371d072a402c4eb83670346ef880cfee

    SHA512

    e06904351f300c9b273c063f630d6d4f56a8258d324575ae633441446ceec48de24c0e763a9bbf5f927242ab12fc1d2541d897f6c1cad0011fb40cf9078725de

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    a082983f3d6f012f8b211bcac9df371d

    SHA1

    8f13e36f5ec891cf4eccfc77694b6268f50f07d9

    SHA256

    9a45fb25503111878442721305dfd9f5c9bd9cf3e60e1d5b5e9c754b48166253

    SHA512

    b5d3c96efb0d84ee4d7c968ea90d7c75b8203667ea9beaa655e6507f03d146e5fccbfb45561559085fdba9e016c645959f6e510cb8a43a351aa4ac856253b04a

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    b0d90b18e84c7ddcf73b7945179ee83a

    SHA1

    10344dd21092c3d5e8099a1a485589de1855a58e

    SHA256

    b98547ea39f8b4791d3f56135eb55410f962aebe9771cf4aaa23c7659e028793

    SHA512

    16626bf2b9c1a9bd616e0d62e013dca646a057f9fade24552940fc0f5575e33e4b19d5684d726f69c2c5d3237d756caa7416bee19ac59aa32ab1e8fd94c46415

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    16f8be46771bf018399fd5847780fdf0

    SHA1

    332b736810a66710c1061b1440cdf2ea7901b8fa

    SHA256

    71caf84b25b929bbba43404e5a97242791e945b4b5989ac8cb9310632ebd91f1

    SHA512

    0457c8e7e0667bfeb15fd41794bfefe0180f613f2a7f636ee889fa49a62ce74f6119aa5b9baea46e67507199cfea51346d9eeb55df7059c51caf9ad678bb6272

    Download Submit

  • memory/512-53-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/512-56-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/1168-54-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3648-65-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4020-57-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4356-55-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4356-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4664-66-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4920-47-0x00000000063D0000-0x00000000063DA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4920-11-0x0000000074310000-0x0000000074AC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4920-49-0x0000000006520000-0x0000000006732000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4920-29-0x0000000006110000-0x00000000061A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4920-13-0x0000000005750000-0x0000000005CF4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4920-14-0x0000000005110000-0x0000000005176000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4920-12-0x0000000004FA0000-0x000000000510A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4920-37-0x00000000060C0000-0x00000000060D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4920-58-0x00000000097D0000-0x0000000009882000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4920-59-0x0000000009490000-0x00000000094B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4920-60-0x0000000009880000-0x0000000009BD4000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4920-62-0x0000000009C20000-0x0000000009C5C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4920-63-0x000000007431E000-0x000000007431F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4920-64-0x0000000074310000-0x0000000074AC0000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/4920-10-0x0000000000030000-0x000000000034A000-memory.dmp

    Filesize

    3.1MB

    Download

  • memory/4920-9-0x000000007431E000-0x000000007431F000-memory.dmp

    Filesize

    4KB

    Download