Analysis
-
max time kernel
145s -
max time network
112s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-04-2021 10:43
Static task
static1
Behavioral task
behavioral1
Sample
PO NO 16670,16671,16672.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PO NO 16670,16671,16672.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
PO NO 16670,16671,16672.exe
-
Size
876KB
-
MD5
4b2da32775bb69ef313a77ed01c63ca5
-
SHA1
0f50b7d0721304ccf5c02a23da6a640980b2a24f
-
SHA256
e2ea537c8c7c8b76704a156bbf478fedb4464a9bc4dbd1468938c29c8e8b4ea9
-
SHA512
c1259c26ce296e18acfece290b771fcdf01dc47ee2074fd129da0a684f65ba2fb7b250e1a2685e50600faedbf7dd2ca6905e00aefcc82b37ac5bafc7421a2f2a
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.tph-buasysteme.com - Port:
587 - Username:
d.furchtmann@tph-buasysteme.com - Password:
kApkjKY8
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3904-125-0x000000000D690000-0x000000000D6C7000-memory.dmp family_agenttesla -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
PO NO 16670,16671,16672.exepid process 3904 PO NO 16670,16671,16672.exe 3904 PO NO 16670,16671,16672.exe 3904 PO NO 16670,16671,16672.exe 3904 PO NO 16670,16671,16672.exe 3904 PO NO 16670,16671,16672.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO NO 16670,16671,16672.exedescription pid process Token: SeDebugPrivilege 3904 PO NO 16670,16671,16672.exe
Processes
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3904-114-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/3904-116-0x0000000005760000-0x0000000005761000-memory.dmpFilesize
4KB
-
memory/3904-117-0x0000000005D00000-0x0000000005D01000-memory.dmpFilesize
4KB
-
memory/3904-118-0x00000000058A0000-0x00000000058A1000-memory.dmpFilesize
4KB
-
memory/3904-120-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/3904-119-0x0000000005800000-0x0000000005CFE000-memory.dmpFilesize
5.0MB
-
memory/3904-121-0x0000000005A90000-0x0000000005A91000-memory.dmpFilesize
4KB
-
memory/3904-122-0x0000000005CB0000-0x0000000005CB9000-memory.dmpFilesize
36KB
-
memory/3904-123-0x0000000001700000-0x000000000177E000-memory.dmpFilesize
504KB
-
memory/3904-124-0x000000000A340000-0x000000000A382000-memory.dmpFilesize
264KB
-
memory/3904-125-0x000000000D690000-0x000000000D6C7000-memory.dmpFilesize
220KB
-
memory/3904-126-0x000000000D970000-0x000000000D971000-memory.dmpFilesize
4KB
-
memory/3904-127-0x000000000DA10000-0x000000000DA11000-memory.dmpFilesize
4KB