Overview

overview

10

Static

static

3

80c7d29a1d...16.exe

windows7-x64

10

80c7d29a1d...16.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    117s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19/09/2024, 01:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80c7d29a1d98676c27132672175396193cb92ee30bdcfbf6a6c0ceb41b3d9616.exe

  • Size

    1.6MB

  • MD5

    f711e5126f671f7a3b4e124bd553bcdb

  • SHA1

    8ab7bcc77eee7973845299edc8209e7a94c3cc4b

  • SHA256

    80c7d29a1d98676c27132672175396193cb92ee30bdcfbf6a6c0ceb41b3d9616

  • SHA512

    af8c950452169d34a5d56761b20f1968cf99577211668d9f9aa8511d5076fa330b0653a58fcde7ececd8ad5695acffa0460f13affc48831222646c5e4e4fcd6e

  • SSDEEP

    24576:keq3CCnM8MvCqPS9mL04ya8zoKUjXpjXssz3POkTqiB/:zCnTMK2+mcroKUjXNXNZ

Score
10/10
agentteslacredential_accessdiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot7000875199:AAGcJDBHFcfVUBvhBO4xZLw34OXk1NWXSe0/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80c7d29a1d98676c27132672175396193cb92ee30bdcfbf6a6c0ceb41b3d9616.exe
    "C:\Users\Admin\AppData\Local\Temp\80c7d29a1d98676c27132672175396193cb92ee30bdcfbf6a6c0ceb41b3d9616.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2460
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\80c7d29a1d98676c27132672175396193cb92ee30bdcfbf6a6c0ceb41b3d9616.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GFoZjxH.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2756
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GFoZjxH" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAE9.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2820
    • C:\Users\Admin\AppData\Local\Temp\80c7d29a1d98676c27132672175396193cb92ee30bdcfbf6a6c0ceb41b3d9616.exe
      "C:\Users\Admin\AppData\Local\Temp\80c7d29a1d98676c27132672175396193cb92ee30bdcfbf6a6c0ceb41b3d9616.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2568

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpAE9.tmp
    Filesize

    1KB

    MD5

    21d81737fe69a64fee09de9a5e7c851c

    SHA1

    b4396d4b650cdb791fceb688dfe550b4ae7af43c

    SHA256

    b779e43ebe2d0c84df3d765b38dd99144781521b44a802f370ba422d6642623e

    SHA512

    5e7cc0da56b7491cf80f8d8db7573aae232830315977ac1a9fe219d1d0db4dc65ced2affe453bc4e24819a27b6ea5ee07e1762b08e79e0b3faddf5b83c9507ee

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0MU36VHTPV1C9P8GW242.temp
    Filesize

    7KB

    MD5

    cc13d6e396ed91af0e1ae6dd7fa2399e

    SHA1

    fdadbdf35767ea0811c328d2e81f5b9795fe00c5

    SHA256

    cf995240ba1786cd93f12666236e6391f410ec341a9a0bad6aca7289e6213a1e

    SHA512

    fca33a587f0bece7b461e4acc2c3372851f5881c7caefd557609e4ff2ffa556ab822e5e744397d6c53adb65771e33ef4686cf7491557248e280a576c647fec97

    Download Submit

  • memory/2460-30-0x00000000740E0000-0x00000000747CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2460-1-0x00000000013A0000-0x0000000001474000-memory.dmp

    Filesize

    848KB

    Download

  • memory/2460-2-0x00000000740E0000-0x00000000747CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2460-3-0x0000000000250000-0x000000000025E000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2460-4-0x00000000740E0000-0x00000000747CE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2460-5-0x00000000051B0000-0x0000000005234000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2460-0-0x00000000740EE000-0x00000000740EF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-18-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2568-24-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-22-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-20-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2568-27-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.