Overview

overview

10

Static

static

10

09fe7735f7...8a.exe

windows11-21h2-x64

10

0a08857b3b...19.vbs

windows11-21h2-x64

10

0a92b6b6c9...d0.exe

windows11-21h2-x64

10

0b1f6297e8...e6.exe

windows11-21h2-x64

10

0b4ffb13a4...aa.exe

windows11-21h2-x64

10

0b9a6ed57e...55.exe

windows11-21h2-x64

7

0be395d43c...ca.exe

windows11-21h2-x64

7

0c046f07cd...89.exe

windows11-21h2-x64

10

0c1e5acd77...53.exe

windows11-21h2-x64

10

0d825ad1df...37.exe

windows11-21h2-x64

10

0db3c21dec...f9.exe

windows11-21h2-x64

10

0de875f11e...e9.exe

windows11-21h2-x64

10

0e3bb95b7b...77.exe

windows11-21h2-x64

10

0edd5342b1...6d.exe

windows11-21h2-x64

3

0f4450a6b2...b6.exe

windows11-21h2-x64

10

10758789ca...d1.exe

windows11-21h2-x64

10

11a3fde6fb...96.exe

windows11-21h2-x64

10

11bb525d06...1c.exe

windows11-21h2-x64

10

124dcea053...69.exe

windows11-21h2-x64

10

13431e2ee5...1c.elf

windows11-21h2-x64

3

15387da23f...315.js

windows11-21h2-x64

8

15938b5637...72.exe

windows11-21h2-x64

10

170dc238d7...a4.exe

windows11-21h2-x64

10

1728680969...4d.xll

windows11-21h2-x64

10

17dadc2b10...b1.elf

windows11-21h2-x64

3

190ffc93d1...d7.apk

windows11-21h2-x64

3

1a4383821d...e1.vbs

windows11-21h2-x64

8

1aa85c5026...8d.exe

windows11-21h2-x64

10

1b13d05cae...26.exe

windows11-21h2-x64

7

1b9334e09c...52.exe

windows11-21h2-x64

10

1bcbf1dce6...0c.exe

windows11-21h2-x64

7

1bd3fa491c...5b.exe

windows11-21h2-x64

10

Resubmissions

21-12-2024 22:57

241221-2xpr2atjar 10

21-12-2024 20:29

241221-y9xfvsyngy 10

Analysis

  • max time kernel
    50s
  • max time network
    95s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-12-2024 22:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    170dc238d7e8c6f55a0aedddd2d01deb03d62e71d7da5c51f67632d2de3f93a4.exe

  • Size

    1.2MB

  • MD5

    749fd58dcffee43317d573fbec8eaddf

  • SHA1

    08964a5cbccfe8460fdbd126004ffdd6c81a1121

  • SHA256

    170dc238d7e8c6f55a0aedddd2d01deb03d62e71d7da5c51f67632d2de3f93a4

  • SHA512

    357eb5dcdaa4aa2249d8a1937cae7c8d362466d63fcbe8232cdf8c561623ee7470ae9f4601090dffb3b41545a032d63fcaba504a0c3c1bbaba579c1333b3f09f

  • SSDEEP

    24576:XAOcZ9OUVm7BVha9TlEkqIMMvBwA2MNxjFJ7oHeWXL7WY:pC0klEkTMMvZx9+7WY

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerpersistencespywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Executes dropped EXE 1 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\170dc238d7e8c6f55a0aedddd2d01deb03d62e71d7da5c51f67632d2de3f93a4.exe
    "C:\Users\Admin\AppData\Local\Temp\170dc238d7e8c6f55a0aedddd2d01deb03d62e71d7da5c51f67632d2de3f93a4.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1664
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\temp\7_26\uhssom.vbe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4372
      • C:\Users\Admin\AppData\Local\Temp\7_26\heqne.exe
        "C:\Users\Admin\AppData\Local\Temp\7_26\heqne.exe" hoxffaximw.tnm
        3⤵
        • Executes dropped EXE
        • Adds Run key to start application
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1924
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
          4⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7_26\bfbrpsk.bkw
    Filesize

    436KB

    MD5

    b0add0cb56db32ba1611c2e8851ccc8f

    SHA1

    2d259cba38fa8dd01065e6e0dda3355f4e9d2cd0

    SHA256

    01eed5afb7421f97f89f5235433f411151d4781e134726f9b39633dde27ec82a

    SHA512

    8d18c86c14cfe743dd1609f96550cefb261840d3d63bd25fedbf72828713ed72f49b209067c7b33a709ccecbea2eff9d59b181b9265a3a653d6e45aa62a30955

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7_26\heqne.exe
    Filesize

    1.1MB

    MD5

    6a9581a22339fe367f7b82160b2c5732

    SHA1

    3d12482cacb6d29e7d825ccb7835a38b86fad01b

    SHA256

    6aa2077530a2ca6bc3bc5ec1d39e3419ec1c1e30ce6e56a3ff07cff96e4d1dc2

    SHA512

    ac3e46c908c738a189cf71ffd2557e87e5f7f75d62cf52ad19f2e8d93d30bc78497b91cc4fde24ad563ac7dd9c68fb828e67bf5c83bca9552fee020567c6252e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7_26\rfxkvtvnq.xls
    Filesize

    52KB

    MD5

    9414397814e6accbc1b013b67870b7a9

    SHA1

    4baea1a35b3ed47ead66d438536a39331aee2645

    SHA256

    261f4edb8d6bb1f210e657534095c5b74fe3e28c3a63e21be151e7448f262459

    SHA512

    b611aeb088c53dc22c306922a788b642d806f81cb17db71bb8ec2537cb897ff2c0d4d1ed731bf99fbd3d9880f1d66df318bae342f5fa083328d67da599ca2091

    Download Submit

  • C:\Users\Admin\AppData\Local\temp\7_26\uhssom.vbe
    Filesize

    34KB

    MD5

    9a21cac3383f9051fce46bc115bc9982

    SHA1

    2f06642310d31f0470dece2d7e9384bc63de35e5

    SHA256

    615e14ee4c04d34e382017023e234f3dfe1a84f4ece85a8c148a8d08bf3253eb

    SHA512

    00fec0a069b512b07f788d0bd62c002c1b6ee60d6c58ee12382b5ba77c240c900aab587660f072b4a3de91b01df76a380e6946da79c2a32c0b9cb9ccafc2085a

    Download Submit

  • memory/404-77-0x0000000006370000-0x0000000006916000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/404-76-0x0000000000E00000-0x0000000000E3C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/404-75-0x0000000000E00000-0x000000000150C000-memory.dmp

    Filesize

    7.0MB

    Download

  • memory/404-78-0x0000000005E60000-0x0000000005EFC000-memory.dmp

    Filesize

    624KB

    Download

  • memory/404-79-0x0000000005E00000-0x0000000005E18000-memory.dmp

    Filesize

    96KB

    Download

  • memory/404-80-0x0000000006A90000-0x0000000006AF6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/404-81-0x00000000071D0000-0x0000000007220000-memory.dmp

    Filesize

    320KB

    Download

  • memory/404-82-0x0000000007340000-0x00000000073D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/404-83-0x00000000072E0000-0x00000000072EA000-memory.dmp

    Filesize

    40KB

    Download