Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 09:00
General
-
Target
Quotation.exe
-
Size
398KB
-
MD5
acf625220d32911234345c7c65bf0477
-
SHA1
dea87c877a0ea827b654fb9c0d4e66d51aea212c
-
SHA256
22bb4fb64047a3ccdb9e79080e9b9769733a84fceb7d2ec8e82d3823802e33fb
-
SHA512
60622fa547a08ed113c9579372b91c07758bf2fbc3670317e5a227ddaa4968c6297f4c5cef59b1771d86604b5219e7c61a273fe6db9bda55129278abbdd42c5e
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
telley_min@vectromtech.com - Password:
111aaa
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
telley_min@vectromtech.com - Password:
111aaa
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3824-1-0x000000000044A73E-mapping.dmp
-
memory/3824-0-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB