Overview

overview

10

Static

static

3

Utility1.0.5.3.exe

windows7-x64

10

Utility1.0.5.3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-09-2024 13:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Utility1.0.5.3.exe

  • Size

    80.3MB

  • MD5

    9df116d463214ad42696da745600ee6e

  • SHA1

    dbbf859398a34306251c3b484362daba4c553f9d

  • SHA256

    42f87dcc7c95180584c1a4bc47741a9c916cffaf3acb66e1afcc77c82bbd7e05

  • SHA512

    58f9458d4c38df4502603e6ec9a32696b0e0d6fdd907a54bf0db2fb8474843c01451ae4886cb3e129ae955220d13e4a6a959a17cc765f2cebe4d810338714827

  • SSDEEP

    1572864:Z8XoJR784k9uzlSh5s2pGkBhKSUaWrlz/EKshAI2Ua59wVtXcTymTFYw9mK:eg84OuAL5KaWd/oAIcwVRIz

Score
10/10
agenttesladiscoveryevasionkeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • AgentTesla payload 1 IoCs
  • Detected Nirsoft tools 1 IoCs

    Free utilities often used by attackers which can steal passwords, product keys, etc.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Utility1.0.5.3.exe
    "C:\Users\Admin\AppData\Local\Temp\Utility1.0.5.3.exe"
    1⤵
    • Identifies VirtualBox via ACPI registry values (likely anti-VM)
    • Checks BIOS information in registry
    • Checks whether UAC is enabled
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:1440
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4148,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=3804 /prefetch:8
    1⤵
      PID:1180

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1440-0-0x0000000000400000-0x0000000005A0C000-memory.dmp

      Filesize

      86.0MB

      Download

    • memory/1440-2-0x00000000765B0000-0x00000000766A0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1440-3-0x00000000765B0000-0x00000000766A0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1440-1-0x00000000765D0000-0x00000000765D1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1440-5-0x0000000000400000-0x0000000005A0C000-memory.dmp

      Filesize

      86.0MB

      Download

    • memory/1440-6-0x0000000000400000-0x0000000005A0C000-memory.dmp

      Filesize

      86.0MB

      Download

    • memory/1440-7-0x000000000A0A0000-0x000000000A20A000-memory.dmp

      Filesize

      1.4MB

      Download

    • memory/1440-8-0x000000000E010000-0x000000000E5B4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/1440-9-0x000000000A2E0000-0x000000000A372000-memory.dmp

      Filesize

      584KB

      Download

    • memory/1440-10-0x000000000D010000-0x000000000D206000-memory.dmp

      Filesize

      2.0MB

      Download

    • memory/1440-11-0x000000000A380000-0x000000000A3E6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/1440-12-0x000000000A660000-0x000000000A6F6000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1440-13-0x000000000A060000-0x000000000A082000-memory.dmp

      Filesize

      136KB

      Download

    • memory/1440-14-0x000000000A6F0000-0x000000000A786000-memory.dmp

      Filesize

      600KB

      Download

    • memory/1440-15-0x000000000D200000-0x000000000D342000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1440-16-0x0000000000400000-0x0000000005A0C000-memory.dmp

      Filesize

      86.0MB

      Download

    • memory/1440-18-0x00000000765B0000-0x00000000766A0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1440-21-0x0000000019940000-0x000000001E264000-memory.dmp

      Filesize

      73.1MB

      Download

    • memory/1440-22-0x00000000765B0000-0x00000000766A0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1440-23-0x000000000A7B0000-0x000000000A7BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1440-24-0x000000000D7C0000-0x000000000D7C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1440-25-0x000000000DF90000-0x000000000DFA2000-memory.dmp

      Filesize

      72KB

      Download

    • memory/1440-26-0x00000000765B0000-0x00000000766A0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1440-27-0x00000000128B0000-0x00000000128EC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/1440-29-0x00000000765B0000-0x00000000766A0000-memory.dmp

      Filesize

      960KB

      Download

    • memory/1440-30-0x00000000765B0000-0x00000000766A0000-memory.dmp

      Filesize

      960KB

      Download