Overview

overview

10

Static

static

5

e3a9869287...70.exe

windows7-x64

10

e3a9869287...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 01:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe

  • Size

    1.0MB

  • MD5

    9b9757a5fbdba08d72cdbf792719ce05

  • SHA1

    7c078ef89b481f54cd7662feee5667a05f1cf976

  • SHA256

    e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470

  • SHA512

    1c55ef18a10b757cf68662dceeb766891a260ba2d7befdce9bc243fe88f5367741773a34c940f623c8d0595237e7875e79a72df016767f058cc52a747dc021fb

  • SSDEEP

    24576:pRmJkcoQricOIQxiZY1iapbS9lys5p3evn:mJZoQrbTFZY1iapopp32n

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe
    "C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2604
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe"
      2⤵
        PID:1984
      • C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe
        "C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:3640
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe"
          3⤵
            PID:4148
          • C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe
            "C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe"
            3⤵
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of WriteProcessMemory
            PID:1716
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe"
              4⤵
                PID:2368
              • C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe
                "C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe"
                4⤵
                • Suspicious use of SetThreadContext
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: MapViewOfSection
                • Suspicious use of WriteProcessMemory
                PID:4184
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                  "C:\Users\Admin\AppData\Local\Temp\e3a98692873ba0cf199f4e0b22e80e3e648da2494824ac0094e64a806e5fe470.exe"
                  5⤵
                  • System Location Discovery: System Language Discovery
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2876

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\autA642.tmp
          Filesize

          263KB

          MD5

          97922ad76124355bf4a541fa9b7454d5

          SHA1

          c8c75993ca09c7a7f3123a4086a43d99bb8fb6a5

          SHA256

          7107f950f3851fb1baaac18abbe28ce1c794a504206d4cedd1c9964104d7bd98

          SHA512

          c37c410fcd61f1400e9d6e77812a780b4d2cc1bf025a68b922d87b9461f120b4cec9e1d1c4f523e05b6048f0c683fa17d50192f13e30a122aec8abced2da4fec

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\autBC5C.tmp
          Filesize

          9KB

          MD5

          41ef59538ee4ea64e4d25bbc56c68a3f

          SHA1

          90770d09fa37f8395c6643aff29cbd9e9e609598

          SHA256

          9416ff5fe819bc36681d143040836925f3e0f5fcfca18e920fb376f6ca371f42

          SHA512

          0f4fb93bc1d2d040502153059ec9cb5aa072b3cb8359b98427a9b6124c491483c3baafa1bf9bbd88ecfeae4d473d155bfa8b98fc5ea73e5ef032c8ecaa1ac286

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jailless
          Filesize

          29KB

          MD5

          cbc82a165f3fc70af6a715f89d5a2e98

          SHA1

          19925647a458aeb42321f031cccfcaaca7b0f710

          SHA256

          51ec1a307d2681809c872ca831547a4c7279d654d37ec43b00c6eb0f493a3f9a

          SHA512

          232956a7454428689ddb17150ddea99ca0c435c1d9a7e55809e816323b170df3e80ab941708ec411e3e3513f021f530c26e07629931ee1b0b790d761b0cd789d

          Download Submit

        • memory/2604-12-0x0000000001AE0000-0x0000000001AE4000-memory.dmp

          Filesize

          16KB

          Download

        • memory/2876-103-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-93-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-57-0x0000000003320000-0x0000000003376000-memory.dmp

          Filesize

          344KB

          Download

        • memory/2876-58-0x0000000005F50000-0x00000000064F4000-memory.dmp

          Filesize

          5.6MB

          Download

        • memory/2876-59-0x0000000005800000-0x0000000005854000-memory.dmp

          Filesize

          336KB

          Download

        • memory/2876-63-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-61-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-60-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-77-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-119-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-117-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-115-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-113-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-111-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-109-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-107-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-105-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-55-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/2876-101-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-99-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-95-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-56-0x0000000000400000-0x0000000000446000-memory.dmp

          Filesize

          280KB

          Download

        • memory/2876-91-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-89-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-87-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-85-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-83-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-79-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-75-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-73-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-71-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-69-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-67-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-65-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-121-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-97-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-81-0x0000000005800000-0x000000000584E000-memory.dmp

          Filesize

          312KB

          Download

        • memory/2876-1126-0x0000000005A10000-0x0000000005A76000-memory.dmp

          Filesize

          408KB

          Download

        • memory/2876-1127-0x0000000006E60000-0x0000000006EB0000-memory.dmp

          Filesize

          320KB

          Download

        • memory/2876-1128-0x0000000006F50000-0x0000000006FEC000-memory.dmp

          Filesize

          624KB

          Download

        • memory/2876-1129-0x0000000006FF0000-0x0000000007082000-memory.dmp

          Filesize

          584KB

          Download

        • memory/2876-1130-0x0000000006F30000-0x0000000006F3A000-memory.dmp

          Filesize

          40KB

          Download