Analysis
-
max time kernel
146s -
max time network
114s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
29-01-2021 09:01
General
-
Target
3a3270aced9ac5f099542a5318d62e5f.exe
-
Size
936KB
-
MD5
3a3270aced9ac5f099542a5318d62e5f
-
SHA1
77e5ac9bb4f0d95dc40dc2824c8f50f7ddf44ebc
-
SHA256
9a8ffb097e2d4a4788ed1455d23a73e91a8a7b1ae4b9b1152e63fc1f7730ed89
-
SHA512
47df0b24b4ee57b4e474dc6cd8c0501988289a4131a42c718346c98dddfd063f088f7c12ec52c4bc08eca73b76d8104f46eaff8619cead24157bf90dbd51bee1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.godforeu.com - Port:
587 - Username:
[email protected] - Password:
O8k#Pz4sk:w_
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\OZaawewgVnTHTz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp29D0.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"C:\Users\Admin\AppData\Local\Temp\3a3270aced9ac5f099542a5318d62e5f.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
65f1f0c7993639f9f9e1d524224a2c93
SHA15b51a6a56f3041dbc2d3f510252bbe68ffbbc59c
SHA256e582e80a644a998d1b2958bdcb0cd1e899076befa7c5e868d033b3fe75a2ca93
SHA5123e8953968bbc31f3105a0df28b95edfb4cee8af78ec527d47707b82e3d5fc2aa725fca574de3c963da53614e60d282408b21d075eed007be25679e9458bf1c23
-
MD5
bc544e98b7c56285645c2f1dbe0b08bc
SHA1db807d02e194f3c5e88813b861b590c6b65e9c3d
SHA256d84bf98e3bd3b8d161e5891d1b63f3edf01ab01c2b1109cf86640f282e12e48d
SHA512e49daa1d985179c9f9bf473a6b4491f747c749840ebf0f82e5596759a747439dc865f144898def767c3ccc9d70ed630ae70e9dcc3105a2841e4095ba0455bc3a
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
12KB
-
Filesize
4KB
-
Filesize
416KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
240KB
-
-
Filesize
6.9MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB