Overview

overview

10

Static

static

3

Request fo...32.exe

windows7-x64

10

Request fo...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    16/10/2024, 01:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Request for Quote GE63138XM32.exe

  • Size

    834KB

  • MD5

    102cd04929ffa73b9584a7c6953a8ca5

  • SHA1

    6f7943b1901c44c28bc16483b4187bc8f15f5742

  • SHA256

    3890bc2638beaf831fb3ad49af5442ef5118d70a6d7c25a3fb0b05e47d9e75e6

  • SHA512

    ba7c17f3ddf61bf2a8ba7d2912b2a3b2737616bad21accfa84db8b958ab33a0b3b197a6326c240e8bbc23dfe8f0868bb68a19a20141e50ca9d9da258442e3694

  • SSDEEP

    12288:DeUSST7V67gJFlY5qWHJv/h42L7ukEYIbMpY6vbDOQv/Zlav7klgrdm4Vz0Rppp5:DcM7Y7gJFZWpvq2L7ukEYIWvPT

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Request for Quote GE63138XM32.exe
    "C:\Users\Admin\AppData\Local\Temp\Request for Quote GE63138XM32.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Request for Quote GE63138XM32.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2132
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\zxnBrlQ.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2964
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\zxnBrlQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE2E0.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1036
    • C:\Users\Admin\AppData\Local\Temp\Request for Quote GE63138XM32.exe
      "C:\Users\Admin\AppData\Local\Temp\Request for Quote GE63138XM32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2744

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpE2E0.tmp
    Filesize

    1KB

    MD5

    cb8edebbe10356faad8845eb92dadb6f

    SHA1

    0f61f3ac4d9064fca744df57e30f917770e838db

    SHA256

    deed72006f28b73814b7f91e883460dddb695504bd1252b38f1f14a48a15fa84

    SHA512

    33a091459477e6f7a004c5b3ed08cc24c7736b220b6fad996e37556a251b3bda9aae77e04f6f425b83e1e4bd59de171acec95a5b456485877e480e3582982851

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    821cba6934a396939a9986aa42ab84c6

    SHA1

    bf0ce99b7ac3dd456a4c0dbc3661ed939795d95e

    SHA256

    981f93a236d0016b6c40dd35633c372c613866c34cc213e3b0aa2400b3f21bf0

    SHA512

    ffdf4f74a2a9ba02e6ebd34bfaa525f2c07d77188f9281abda75d6f377cf197fd8fed6cd3a3bba87623fac7603db8e486cebcfdbb54bc0b388082e0862ebf294

    Download Submit

  • memory/2744-28-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2744-23-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2744-25-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2744-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2744-29-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2744-30-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2744-21-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2744-20-0x0000000000400000-0x0000000000440000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2976-6-0x00000000052D0000-0x0000000005352000-memory.dmp

    Filesize

    520KB

    Download

  • memory/2976-1-0x0000000000890000-0x0000000000968000-memory.dmp

    Filesize

    864KB

    Download

  • memory/2976-0-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-2-0x0000000074A30000-0x000000007511E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2976-3-0x00000000009F0000-0x0000000000A02000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2976-5-0x0000000074A30000-0x000000007511E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2976-4-0x0000000074A3E000-0x0000000074A3F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2976-31-0x0000000074A30000-0x000000007511E000-memory.dmp

    Filesize

    6.9MB

    Download