Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    14-10-2021 05:26

General

  • Target

    Purchase Order PO5351.exe

  • Size

    355KB

  • MD5

    583ae888adbd5a79d055fbd414cc403b

  • SHA1

    02fe0acb2796c2be544cee6cde690071e3cbfced

  • SHA256

    e2ef34d6833b50a6bb0c28e94c5f1f0c7454d13b41c14b5b5a8de2a84f8a8771

  • SHA512

    6d584518b741a225f887d8bacc621ae0461b3ada7781fdba51a2cdcd717c3869bafc9d06da88c22b3530341032676057c5747afb3be9187844bb3f2293f37060

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.appalliser.com
  • Port:
    587
  • Username:
    newwork1@appalliser.com
  • Password:
    !%RvA^hkLSn&

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1324
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order PO5351.exe"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:740

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Discovery

System Information Discovery

1
T1082

Collection

Data from Local System

3
T1005

Email Collection

1
T1114

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nstB3D6.tmp\gqdtoh.dll
    MD5

    5a58f937df449de296b78bff64cdd730

    SHA1

    a62509aa4d31ddb12a3dc881fb029d575b77484d

    SHA256

    59080307e0cfb01fe407d6f08347f540f3f0b42764b46c65c6571ff186ace7c7

    SHA512

    bdcafa07ace4802845fd06bf203a4c393f211635e3a8f2b7fd2af3df0667318f90b7db2563ca2838a510d72253d3b8f797d7491ba9fa1ad632d3dc274fa81d07

  • memory/740-56-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

  • memory/740-57-0x000000000040188B-mapping.dmp
  • memory/740-59-0x0000000000840000-0x0000000000877000-memory.dmp
    Filesize

    220KB

  • memory/740-62-0x00000000045F1000-0x00000000045F2000-memory.dmp
    Filesize

    4KB

  • memory/740-61-0x0000000000400000-0x000000000044C000-memory.dmp
    Filesize

    304KB

  • memory/740-63-0x00000000045F2000-0x00000000045F3000-memory.dmp
    Filesize

    4KB

  • memory/740-64-0x00000000045F3000-0x00000000045F4000-memory.dmp
    Filesize

    4KB

  • memory/740-65-0x00000000045F4000-0x00000000045F5000-memory.dmp
    Filesize

    4KB

  • memory/1324-54-0x0000000075661000-0x0000000075663000-memory.dmp
    Filesize

    8KB