Overview

overview

10

Static

static

5

Purchase order.exe

windows7-x64

10

Purchase order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-01-2025 01:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase order.exe

  • Size

    986KB

  • MD5

    9264f617827a682e6002378e6b61fd83

  • SHA1

    2e3c94f5df909457134b2297f67f8b766151ea92

  • SHA256

    02073441269355d1447b6dec157de4b6fe104d3aba666caf1cefac726abc5539

  • SHA512

    a5a48b1e554861c5ad13fe5504ea04807fe485f79dab9e3a0b76a241f5ca08a7ff2b1b3dba8cbdb8f656975f9841592423bae30e66b9cdc34139f41ac4a494a3

  • SSDEEP

    24576:uRmJkcoQricOIQxiZY1iaCpUliXtZTgtdsnvBcD3:7JZoQrbTFZY1iaCpnkdIvBcb

Score
10/10
agenttesladiscoverykeyloggerspywarestealertrojan

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Agenttesla family
    agenttesla
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
      2⤵
        PID:3248
      • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
        "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:4848
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
          "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
          3⤵
            PID:5008
          • C:\Users\Admin\AppData\Local\Temp\Purchase order.exe
            "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:3508
            • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
              "C:\Users\Admin\AppData\Local\Temp\Purchase order.exe"
              4⤵
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:2536

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\autBE3F.tmp
        Filesize

        259KB

        MD5

        139854402bb509362cb4aadd70cf9c6f

        SHA1

        9521816f131fd7f6533e0c45d83f26096e8cea2b

        SHA256

        0fc26679551231795003b5add7711fc3f0af05521e623283a97797ac72408c86

        SHA512

        1631eb8e5097b05473ee5107165a149ca283455db5f54a4a629eb773310e99aee89ff1d22f5979f0a5fc144c754d007b643a19d489b9d78bf3ed1167bdf43ff4

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\bothsidedness
        Filesize

        262KB

        MD5

        9fb8b318e87777398ac409babb05792a

        SHA1

        9e0e1309d9e9ae2bcaa457340d24eb1c4cc746ad

        SHA256

        9bd6583c633f2013f47a12feb4218af13554784fdb8fba473a0b29ada2bbed21

        SHA512

        ee9d77aeeea5e1a05238f770326a12ae13174f53b54727652862266968f34c995aa1b3c2d9f0cd8912ba69aab0b58b7d15c9746611c17d24a2325ab787f5443d

        Download Submit

      • memory/2536-69-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-1065-0x0000000006590000-0x000000000659A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2536-1066-0x0000000000400000-0x0000000000446000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2536-23-0x0000000000400000-0x0000000000446000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2536-24-0x0000000000400000-0x0000000000446000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2536-25-0x0000000000400000-0x0000000000446000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2536-26-0x0000000000400000-0x0000000000446000-memory.dmp

        Filesize

        280KB

        Download

      • memory/2536-27-0x0000000004F70000-0x0000000004FC4000-memory.dmp

        Filesize

        336KB

        Download

      • memory/2536-28-0x00000000055D0000-0x0000000005B74000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/2536-29-0x0000000005020000-0x0000000005072000-memory.dmp

        Filesize

        328KB

        Download

      • memory/2536-37-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-43-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-89-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-87-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-85-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-83-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-67-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-79-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-77-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-73-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-71-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-65-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-63-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-1064-0x0000000006620000-0x00000000066B2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2536-81-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-61-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-59-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-57-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-55-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-51-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-49-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-47-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-45-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-41-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-39-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-35-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-33-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-75-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-53-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-31-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-30-0x0000000005020000-0x000000000506D000-memory.dmp

        Filesize

        308KB

        Download

      • memory/2536-1062-0x00000000051F0000-0x0000000005256000-memory.dmp

        Filesize

        408KB

        Download

      • memory/2536-1063-0x0000000006530000-0x0000000006580000-memory.dmp

        Filesize

        320KB

        Download

      • memory/2540-6-0x0000000004100000-0x0000000004300000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/3508-22-0x0000000003CC0000-0x0000000003EC0000-memory.dmp

        Filesize

        2.0MB

        Download

      • memory/4848-14-0x0000000003BB0000-0x0000000003DB0000-memory.dmp

        Filesize

        2.0MB

        Download