Overview

overview

10

Static

static

3

7458f31fbf...48.exe

windows7-x64

10

7458f31fbf...48.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-01-2025 01:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe

  • Size

    1.5MB

  • MD5

    4212dd2aaf1b4a9676b27d280273db44

  • SHA1

    41dca2b1f0a2450e773ea98f1427e5fd78905fb5

  • SHA256

    7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848

  • SHA512

    bfd88210e6103b1ddb89900bb6baa74d3a76c43b2510bd541d932f6808fdcad77cdcf12a1475a1b47a32359166c17e8c9c62d32f986e9fc21aa290456a3dcaf2

  • SSDEEP

    24576:y/FH/8izXYKTjkr1CrMGy+mGQOsXv1RIAhjLoamMiX4lNmZg0YxegPbUIDPP:y/FH/8yXYKyRSmGEjLoyEkmZ9Y14

Score
10/10
agentteslacollectioncredential_accessdiscoverykeyloggerspywarestealertrojan

Malware Config

Extracted

Credentials

  • Protocol:     smtp
  • Host:
    mail.alumisr.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    *Eg_alpr_SL@77*79#

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Reads WinSCP keys stored on the system 2 TTPs

    Tries to access WinSCP stored sessions.

    spywarestealer
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
    collection
  • Suspicious use of SetThreadContext 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
    "C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4792
    • C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
      "C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe"
      2⤵
        PID:2700
      • C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
        "C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe"
        2⤵
          PID:2100
        • C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe
          "C:\Users\Admin\AppData\Local\Temp\7458f31fbf422f84810586fb736261b52c2ced7207c9055e22e1bdb7f1d04848.exe"
          2⤵
          • Accesses Microsoft Outlook profiles
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          • outlook_office_path
          • outlook_win_path
          PID:4948

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/4792-12-0x000000000ACE0000-0x000000000AD7C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4792-16-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4792-2-0x0000000005CD0000-0x0000000006274000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4792-3-0x00000000057C0000-0x0000000005852000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4792-4-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4792-5-0x0000000005860000-0x000000000586A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4792-6-0x0000000006DF0000-0x0000000006E0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4792-7-0x00000000752EE000-0x00000000752EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4792-8-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4792-9-0x000000000AA30000-0x000000000AA3E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/4792-10-0x000000000AA40000-0x000000000AA8C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4792-11-0x00000000051B0000-0x0000000005232000-memory.dmp

        Filesize

        520KB

        Download

      • memory/4792-14-0x000000000AC80000-0x000000000ACBA000-memory.dmp

        Filesize

        232KB

        Download

      • memory/4792-13-0x000000000AE30000-0x000000000AE96000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4792-0-0x00000000752EE000-0x00000000752EF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4792-19-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4792-1-0x0000000000C40000-0x0000000000DC0000-memory.dmp

        Filesize

        1.5MB

        Download

      • memory/4948-18-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4948-15-0x0000000000400000-0x000000000043A000-memory.dmp

        Filesize

        232KB

        Download

      • memory/4948-20-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4948-21-0x00000000052E0000-0x00000000052F8000-memory.dmp

        Filesize

        96KB

        Download

      • memory/4948-22-0x00000000067D0000-0x0000000006820000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4948-23-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download

      • memory/4948-24-0x00000000752E0000-0x0000000075A90000-memory.dmp

        Filesize

        7.7MB

        Download