Analysis
-
max time kernel
142s -
max time network
147s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-08-2021 13:58
General
-
Target
HSBC Customer Information.exe
-
Size
316KB
-
MD5
63ed62778eedac4623c8f38473272ea9
-
SHA1
ad1ff87b5385d12c24a683944c63e7f12326896c
-
SHA256
2fe02bf6a1fdfa0d584fad4a2c52aa2fa216f588e2ef93e42c00561c2b745731
-
SHA512
5b1a385567b0792c4f13fa67908a1a092033a804170062fc8a9f281f9588487c779bbedd9e3cb859a644572f4a7063ef31527e0808a03e64ddc3a5349a84da49
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.manojengineeringllc.solutions - Port:
587 - Username:
barrister-ricky@manojengineeringllc.solutions - Password:
hzmhA.wxasxF
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
AgentTesla Payload 2 IoCs
-
Checks QEMU agent file 2 TTPs 2 IoCs
Checks presence of QEMU agent, possibly to detect virtualization.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\HSBC Customer Information.exe"C:\Users\Admin\AppData\Local\Temp\HSBC Customer Information.exe"1⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\HSBC Customer Information.exe"2⤵
- Checks QEMU agent file
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/204-124-0x0000000000400000-0x0000000000553000-memory.dmpFilesize
1.3MB
-
memory/204-126-0x0000000000400000-0x0000000000401000-memory.dmpFilesize
4KB
-
memory/204-132-0x0000000020700000-0x0000000020701000-memory.dmpFilesize
4KB
-
memory/204-131-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/204-130-0x0000000020470000-0x0000000020471000-memory.dmpFilesize
4KB
-
memory/204-121-0x0000000001010000-0x0000000001110000-memory.dmpFilesize
1024KB
-
memory/204-129-0x0000000000D60000-0x0000000000D61000-memory.dmpFilesize
4KB
-
memory/204-123-0x0000000076EB0000-0x000000007703E000-memory.dmpFilesize
1.6MB
-
memory/204-120-0x0000000000C3CE5E-mapping.dmp
-
memory/204-125-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/204-122-0x00007FFA0F4F0000-0x00007FFA0F6CB000-memory.dmpFilesize
1.9MB
-
memory/204-128-0x0000000020810000-0x0000000020811000-memory.dmpFilesize
4KB
-
memory/3932-118-0x0000000076EB0000-0x000000007703E000-memory.dmpFilesize
1.6MB
-
memory/3932-116-0x00000000021D0000-0x00000000021E6000-memory.dmpFilesize
88KB
-
memory/3932-119-0x0000000076EB0000-0x000000007703E000-memory.dmpFilesize
1.6MB
-
memory/3932-117-0x00007FFA0F4F0000-0x00007FFA0F6CB000-memory.dmpFilesize
1.9MB