Overview

overview

10

Static

static

3

DBG1475766...cr.exe

windows7-x64

10

DBG1475766...cr.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    123s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-09-2024 14:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DBG1475766.pdf.scr.exe

  • Size

    666KB

  • MD5

    ceed99d84eed3e759728b9eeea0be0c7

  • SHA1

    54084910a2c7ca660b644dece24e04130fa4d227

  • SHA256

    838053d3c2a1423831cad1dc9b8ca3f036328c05d2cb5c81fbb18dda832aad54

  • SHA512

    7af4117132a1fac74288e0b09a8c49413ad51c6732b493527c8c1462c3c21956cbf8827aae3b7ede27215e28b304682ab5269f8479169f7e07f9dbb5df590838

  • SSDEEP

    12288:XGD8U5frL49pJE2e0ij/btr6YoJ3dk5mYBoD9Qah3irjC9i72lMW:m8U5fg9fE/0ijhrZojksBQqirjCkEMW

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.alitextile.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    Myname@321

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\DBG1475766.pdf.scr.exe
    "C:\Users\Admin\AppData\Local\Temp\DBG1475766.pdf.scr.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3244
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uZmdtYZy.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uZmdtYZy" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED7D.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:760
    • C:\Users\Admin\AppData\Local\Temp\DBG1475766.pdf.scr.exe
      "C:\Users\Admin\AppData\Local\Temp\DBG1475766.pdf.scr.exe"
      2⤵
        PID:4124
      • C:\Users\Admin\AppData\Local\Temp\DBG1475766.pdf.scr.exe
        "C:\Users\Admin\AppData\Local\Temp\DBG1475766.pdf.scr.exe"
        2⤵
          PID:528
        • C:\Users\Admin\AppData\Local\Temp\DBG1475766.pdf.scr.exe
          "C:\Users\Admin\AppData\Local\Temp\DBG1475766.pdf.scr.exe"
          2⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:2804

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixo00o2a.m2z.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmpED7D.tmp
        Filesize

        1KB

        MD5

        636e3f267f38d09096bbf3b426a54321

        SHA1

        a37f7da050f798204b0b1d68715079104a50595a

        SHA256

        d37ddfbff049736421a325b091bd864ae3dc6cac70fb03abf956f28f6e09319c

        SHA512

        e4393e75c69fab003d528e86c27779d5480e9f025ca2c5f118a61faa98b49750357ce88113369ed243d8ccb6c5fe7b6650a8874766becfaa9ce2cfb0db0c3a40

        Download Submit

      • memory/2576-57-0x0000000007E10000-0x0000000007E21000-memory.dmp

        Filesize

        68KB

        Download

      • memory/2576-40-0x00000000078D0000-0x0000000007902000-memory.dmp

        Filesize

        200KB

        Download

      • memory/2576-18-0x0000000005B90000-0x00000000061B8000-memory.dmp

        Filesize

        6.2MB

        Download

      • memory/2576-58-0x0000000007E40000-0x0000000007E4E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/2576-19-0x0000000074470000-0x0000000074C20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2576-56-0x0000000007E90000-0x0000000007F26000-memory.dmp

        Filesize

        600KB

        Download

      • memory/2576-55-0x0000000007C80000-0x0000000007C8A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2576-20-0x0000000074470000-0x0000000074C20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2576-54-0x0000000007C10000-0x0000000007C2A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2576-15-0x0000000002FD0000-0x0000000003006000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2576-61-0x0000000007F30000-0x0000000007F38000-memory.dmp

        Filesize

        32KB

        Download

      • memory/2576-17-0x0000000074470000-0x0000000074C20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2576-59-0x0000000007E50000-0x0000000007E64000-memory.dmp

        Filesize

        80KB

        Download

      • memory/2576-60-0x0000000007F50000-0x0000000007F6A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/2576-53-0x0000000008260000-0x00000000088DA000-memory.dmp

        Filesize

        6.5MB

        Download

      • memory/2576-52-0x0000000007910000-0x00000000079B3000-memory.dmp

        Filesize

        652KB

        Download

      • memory/2576-25-0x00000000062A0000-0x0000000006306000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2576-24-0x0000000006230000-0x0000000006296000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2576-41-0x0000000070730000-0x000000007077C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2576-23-0x0000000005B20000-0x0000000005B42000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2576-51-0x0000000006EA0000-0x0000000006EBE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2576-64-0x0000000074470000-0x0000000074C20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2576-28-0x0000000006310000-0x0000000006664000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2576-38-0x00000000068F0000-0x000000000690E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/2576-39-0x0000000006920000-0x000000000696C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/2804-26-0x0000000074470000-0x0000000074C20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2804-65-0x0000000074470000-0x0000000074C20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/2804-66-0x0000000007400000-0x0000000007450000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2804-21-0x0000000000400000-0x0000000000442000-memory.dmp

        Filesize

        264KB

        Download

      • memory/3244-7-0x000000007447E000-0x000000007447F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3244-9-0x0000000006070000-0x00000000060F4000-memory.dmp

        Filesize

        528KB

        Download

      • memory/3244-8-0x0000000074470000-0x0000000074C20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3244-27-0x0000000074470000-0x0000000074C20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3244-6-0x0000000004CE0000-0x0000000004CF0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3244-5-0x0000000004B60000-0x0000000004B6A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/3244-4-0x0000000074470000-0x0000000074C20000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/3244-3-0x0000000004B90000-0x0000000004C22000-memory.dmp

        Filesize

        584KB

        Download

      • memory/3244-2-0x00000000050A0000-0x0000000005644000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/3244-1-0x00000000000F0000-0x000000000019E000-memory.dmp

        Filesize

        696KB

        Download

      • memory/3244-10-0x0000000009C50000-0x0000000009CEC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/3244-0-0x000000007447E000-0x000000007447F000-memory.dmp

        Filesize

        4KB

        Download