Overview

overview

10

Static

static

3

aa4b277c8b...b3.exe

windows7-x64

10

aa4b277c8b...b3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    14s
  • max time network
    78s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    17/11/2024, 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa4b277c8b219071a9d1196920c5929ed3c7b368b14e2daf241e1001216c25b3.exe

  • Size

    1.8MB

  • MD5

    73c13ccef8a21994322a9d6088753294

  • SHA1

    7b3d167c9d3af83abe772040fe87507e08a56665

  • SHA256

    aa4b277c8b219071a9d1196920c5929ed3c7b368b14e2daf241e1001216c25b3

  • SHA512

    c8943fcfe0fa4da8c9b9e8cff0dbe032b806fa520eeceb4f05c56a95afe93b60ea4ae375d53ffb53194ee52c774961cad0209608a5aeb120439361ab534c2ac5

  • SSDEEP

    12288:Ehsv71fj25HTvgxSoog9so0aFj+HIbJCRTGvDsFbsQ4cp:E2p6pkSoeo0a44CRG7Ioi

Score
10/10
agenttesladiscoveryevasionexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6852245174:AAHgk_9s-tH6YNacTaCnQz56uJMggI0fZDw/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\aa4b277c8b219071a9d1196920c5929ed3c7b368b14e2daf241e1001216c25b3.exe
    "C:\Users\Admin\AppData\Local\Temp\aa4b277c8b219071a9d1196920c5929ed3c7b368b14e2daf241e1001216c25b3.exe"
    1⤵
    • UAC bypass
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2248
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\aa4b277c8b219071a9d1196920c5929ed3c7b368b14e2daf241e1001216c25b3.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2712
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1276
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -u -p 2248 -s 804
      2⤵
        PID:2900

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1276-17-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1276-14-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1276-19-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1276-10-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1276-8-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1276-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1276-12-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/1276-18-0x0000000000400000-0x0000000000444000-memory.dmp

      Filesize

      272KB

      Download

    • memory/2248-0-0x000007FEF64B3000-0x000007FEF64B4000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2248-1-0x0000000001320000-0x0000000001338000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2248-3-0x000000001B170000-0x000000001B206000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2248-2-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2248-23-0x000007FEF64B0000-0x000007FEF6E9C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2712-20-0x0000000002650000-0x00000000026D0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2712-21-0x000000001B2F0000-0x000000001B5D2000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2712-22-0x0000000002370000-0x0000000002378000-memory.dmp

      Filesize

      32KB

      Download