Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-07-2020 12:03
General
-
Target
8dbaeb95613404b722cddba9f846af5d.exe
-
Size
292KB
-
MD5
8dbaeb95613404b722cddba9f846af5d
-
SHA1
a8eb6c8e3f83621e6237eb637d7ff4f47be1e9fb
-
SHA256
92eadd8fcf1d04978390cd854817d52bcbdf54ea60bd1dd3c24d8ab2bad843d1
-
SHA512
a3a7bf361889c8e1ae4c1b7e0e9211cb619764331580341564bca53a4bc46a88016f55fa19c9b078aa4e92a65635dd88b2cf9c94bed334ec6c57d08fcfccb741
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
$%$nWr+eH
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
Processes
-
C:\Users\Admin\AppData\Local\Temp\8dbaeb95613404b722cddba9f846af5d.exe"C:\Users\Admin\AppData\Local\Temp\8dbaeb95613404b722cddba9f846af5d.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses