Overview

overview

10

Static

static

3

Anydesk.exe

windows7-x64

10

Anydesk.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-09-2024 17:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Anydesk.exe

  • Size

    2.6MB

  • MD5

    1260f4063a10df83764899a7e2126a59

  • SHA1

    56b19520b85d2847304c02c2c0cc1f6774d782b3

  • SHA256

    75a16dcebfd5ceed55da11872658e7456f47141476fc44a9159a25bf76da8613

  • SHA512

    0f5d2862a1f8be40cec3caa8d850412693df1199c029e5f4021cd9662e4dd467dbe0e0f668b398f109b9357f297a08abb939509abc677558ceabcead8dda0397

  • SSDEEP

    49152:hmWDukvNTiP4FsDG8ryS8woCFW7ACqZ0rFQU+pK0Mk:hzikVTsgaPb87ACqZIFQU+pK0l

Score
10/10
agentteslaevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Anydesk.exe
    "C:\Users\Admin\AppData\Local\Temp\Anydesk.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4552

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4552-0-0x00007FF813C53000-0x00007FF813C55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4552-1-0x0000024EE9630000-0x0000024EE98D6000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4552-3-0x0000024EEBDB0000-0x0000024EEBF34000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4552-2-0x00007FF813C50000-0x00007FF814711000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4552-4-0x0000024EECA00000-0x0000024EECC14000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4552-5-0x0000024EEED10000-0x0000024EEED22000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4552-6-0x00007FF813C50000-0x00007FF814711000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4552-7-0x00007FF813C50000-0x00007FF814711000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4552-8-0x0000024EED500000-0x0000024EED5B2000-memory.dmp

    Filesize

    712KB

    Download

  • memory/4552-9-0x0000024EED600000-0x0000024EED622000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4552-11-0x0000024EED630000-0x0000024EED66C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4552-13-0x00007FF813C53000-0x00007FF813C55000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4552-14-0x00007FF813C50000-0x00007FF814711000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4552-15-0x00007FF813C50000-0x00007FF814711000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4552-16-0x00007FF813C50000-0x00007FF814711000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4552-18-0x00007FF813C50000-0x00007FF814711000-memory.dmp

    Filesize

    10.8MB

    Download