Overview

overview

10

Static

static

3

GH987667890000.exe

windows7-x64

10

GH987667890000.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    96s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03-10-2024 08:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    GH987667890000.exe

  • Size

    788KB

  • MD5

    13056701d66cd5f352657bc21e9a4b2e

  • SHA1

    cc16cbd465b2cf203644de3c76934f6a030e3f74

  • SHA256

    9e30a7dadfe8f7f35f91d06fb067875d0eb96c2ffe210636505f4ed9b49b8593

  • SHA512

    d56fd29326cb69716c6b5284335ebf574cc9ce58678c0aa0627926e605e5916df1466435c1dd5a11974d5b8a09e4968b337ea57e2b862ade2846b8de79315694

  • SSDEEP

    12288:ujSXMDXK+HgGy4JAru9X57VQ6CcPB3fQ/XfVP7kkPNpz94RuCxB6A7N5R:PcDXBAl4e6V5BzPBWP9X9LG6A7Nb

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:     ftp
  • Host:
    ftp://ftp.antoniomayol.com:21
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    cMhKDQUk1{;%

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\GH987667890000.exe
    "C:\Users\Admin\AppData\Local\Temp\GH987667890000.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\GH987667890000.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2864
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\xIXhmiLVmuR.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2812
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xIXhmiLVmuR" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3006.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2472
    • C:\Users\Admin\AppData\Local\Temp\GH987667890000.exe
      "C:\Users\Admin\AppData\Local\Temp\GH987667890000.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2724

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp3006.tmp
    Filesize

    1KB

    MD5

    a33f0fe28f4d40eb1830df70b6708d27

    SHA1

    31e393eba8e7fb5f0a879d1a0dd2f6458a83e78f

    SHA256

    3e1e2a716cc0a851028a7b2b91e64cf35818775c2b4c9df0a9eec2233165fd4e

    SHA512

    906e8f72c691771adb653a770e00335df20663545df98ca01c38635669378d04b21fe46c4379d85f36cda1d904f65952985bfd10f8d3ca9ad9a602c6ba72526d

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    57e6031353a89a4511c5464123781353

    SHA1

    1303b6ad98476c0510f25d37efab5dfe0f7d3209

    SHA256

    8cedddeb6c2ebb4a13cd93d3969beca8240b18ec4d2a7c9f548ac424cc2d229f

    SHA512

    64a75ba3b5698ea438ada96af6a0125a43121b2b3d8eda09756c9de3c21b2d81084b7c8d53d006af65628726781052e5e8a01916c744a3a2df5214a8271a1365

    Download Submit

  • memory/2604-4-0x00000000740CE000-0x00000000740CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-31-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2604-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2604-5-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2604-6-0x00000000002E0000-0x0000000000364000-memory.dmp

    Filesize

    528KB

    Download

  • memory/2604-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2604-1-0x00000000009C0000-0x0000000000A8C000-memory.dmp

    Filesize

    816KB

    Download

  • memory/2604-3-0x0000000000930000-0x000000000094E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2724-19-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2724-30-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2724-29-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2724-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2724-25-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2724-23-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2724-22-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download

  • memory/2724-28-0x0000000000400000-0x0000000000442000-memory.dmp

    Filesize

    264KB

    Download