Overview

overview

10

Static

static

3

Utility 1.0.5.3.exe

windows7-x64

10

Utility 1.0.5.3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-09-2024 16:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Utility 1.0.5.3.exe

  • Size

    80.3MB

  • MD5

    9df116d463214ad42696da745600ee6e

  • SHA1

    dbbf859398a34306251c3b484362daba4c553f9d

  • SHA256

    42f87dcc7c95180584c1a4bc47741a9c916cffaf3acb66e1afcc77c82bbd7e05

  • SHA512

    58f9458d4c38df4502603e6ec9a32696b0e0d6fdd907a54bf0db2fb8474843c01451ae4886cb3e129ae955220d13e4a6a959a17cc765f2cebe4d810338714827

  • SSDEEP

    1572864:Z8XoJR784k9uzlSh5s2pGkBhKSUaWrlz/EKshAI2Ua59wVtXcTymTFYw9mK:eg84OuAL5KaWd/oAIcwVRIz

Score
10/10
agenttesladiscoveryevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 48 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Utility 1.0.5.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Utility 1.0.5.3.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:4248

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4248-0-0x0000000000400000-0x0000000005A0C000-memory.dmp

    Filesize

    86.0MB

    Download

  • memory/4248-2-0x00000000765F0000-0x00000000766E0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4248-1-0x0000000076610000-0x0000000076611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4248-3-0x00000000765F0000-0x00000000766E0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4248-4-0x00000000765F0000-0x00000000766E0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4248-6-0x0000000000400000-0x0000000005A0C000-memory.dmp

    Filesize

    86.0MB

    Download

  • memory/4248-7-0x0000000000400000-0x0000000005A0C000-memory.dmp

    Filesize

    86.0MB

    Download

  • memory/4248-8-0x000000000A230000-0x000000000A39A000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/4248-9-0x000000000E150000-0x000000000E6F4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4248-10-0x000000000A3A0000-0x000000000A432000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4248-11-0x000000000A720000-0x000000000A916000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4248-12-0x000000000A440000-0x000000000A4A6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/4248-13-0x000000000D150000-0x000000000D1E6000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4248-14-0x000000000A910000-0x000000000A932000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4248-15-0x000000000D1E0000-0x000000000D276000-memory.dmp

    Filesize

    600KB

    Download

  • memory/4248-16-0x000000000D280000-0x000000000D3C2000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4248-17-0x0000000000400000-0x0000000005A0C000-memory.dmp

    Filesize

    86.0MB

    Download

  • memory/4248-20-0x000000001B700000-0x0000000020024000-memory.dmp

    Filesize

    73.1MB

    Download

  • memory/4248-21-0x00000000765F0000-0x00000000766E0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4248-22-0x000000000A6E0000-0x000000000A6EA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4248-23-0x000000000E090000-0x000000000E091000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4248-24-0x000000000E0A0000-0x000000000E0B2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/4248-26-0x00000000765F0000-0x00000000766E0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4248-27-0x000000003D330000-0x000000003D36C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/4248-28-0x00000000765F0000-0x00000000766E0000-memory.dmp

    Filesize

    960KB

    Download

  • memory/4248-30-0x00000000765F0000-0x00000000766E0000-memory.dmp

    Filesize

    960KB

    Download