Overview

overview

10

Static

static

3

bfdeb36839...8c.exe

windows7-x64

10

bfdeb36839...8c.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    05-07-2024 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bfdeb36839c4bea7f10ff81531bf3bc7994d13ac97060f72154c61e5e3dbbd8c.exe

  • Size

    802KB

  • MD5

    41413fc60a8ab3de8dd4c588cf655ac8

  • SHA1

    3a712fbb23cacb731e225f5cc07ee3c669e16e6b

  • SHA256

    bfdeb36839c4bea7f10ff81531bf3bc7994d13ac97060f72154c61e5e3dbbd8c

  • SHA512

    cc23d86565ffa4101770bddcccea607546b911cae16651869d18a94ddf9e859fe1af58c1844dd3dba8013471ae7334755bfe7a6f07d99cb78985047c8de690d5

  • SSDEEP

    12288:jdjofC1PqbsDovxW4y2a40hAmT8Ed8wWeBXtgJJg2NdduvEspw:D1qYD143aHhmEd8wpBXtgg2n0ca

Score
10/10
agentteslaexecutionkeyloggerspywarestealertrojan

Malware Config

Extracted

Family

agenttesla

Credentials

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

    keyloggertrojanstealerspywareagenttesla
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bfdeb36839c4bea7f10ff81531bf3bc7994d13ac97060f72154c61e5e3dbbd8c.exe
    "C:\Users\Admin\AppData\Local\Temp\bfdeb36839c4bea7f10ff81531bf3bc7994d13ac97060f72154c61e5e3dbbd8c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1928
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rijwHXlSipb.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1040
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rijwHXlSipb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4460.tmp"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2676
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp4460.tmp
    Filesize

    1KB

    MD5

    b0dc62ebbb0eb17c4e7333803e225c4e

    SHA1

    d5ef26cb40fe32cc5832de1d551246cdb17eb0f1

    SHA256

    d322711accfaec657cb3665e9ac4d67703f8ee36ef5fafde2730968d266cddcc

    SHA512

    11bd3b8de49aaf4cf4e5597f6e1f8e1a1e2928788005c426914396ad4e1297db25f7ac374e3acfa1e253aa43aa7657a8e56ef8a4b455d78af12c70c7ad89a29e

    Download Submit
  • memory/1928-26-0x0000000074D30000-0x000000007541E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1928-1-0x0000000000250000-0x000000000031E000-memory.dmp
    Filesize

    824KB

    Download
  • memory/1928-2-0x0000000074D30000-0x000000007541E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1928-4-0x00000000003E0000-0x00000000003E8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1928-3-0x00000000004F0000-0x000000000050A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1928-5-0x0000000000460000-0x000000000046C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1928-6-0x000000000D190000-0x000000000D212000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1928-0-0x0000000074D3E000-0x0000000074D3F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2604-18-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2604-25-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2604-24-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2604-23-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2604-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2604-16-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2604-21-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2604-14-0x0000000000400000-0x0000000000440000-memory.dmp
    Filesize

    256KB

    Download