Analysis
-
max time kernel
131s -
max time network
132s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 13:28
General
-
Target
DELIVERY FOLLOW UP.XLSX.exe
-
Size
481KB
-
MD5
75c0f9a2900015e3b9ab6b5433706786
-
SHA1
787a8a7cd60f220e41b0aed7605db324c06dc786
-
SHA256
d794df300789db006c10efb29a8cd2683c72070312700eff88f82e40c5548667
-
SHA512
e13e8d0fb150a033f9a1e5544a25494fec5f3fb8476d80c0c3fcd45399a44c269a79c40bcc443fe3efd6b595c898b06e714996b36a1076034ca29075ac09d6ec
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.bulletproofprotections.com - Port:
587 - Username:
account@bulletproofprotections.com - Password:
Everest10account
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DELIVERY FOLLOW UP.XLSX.exe"C:\Users\Admin\AppData\Local\Temp\DELIVERY FOLLOW UP.XLSX.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DELIVERY FOLLOW UP.XLSX.exe"C:\Users\Admin\AppData\Local\Temp\DELIVERY FOLLOW UP.XLSX.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 13843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/4372-115-0x00000000009E0000-0x00000000009E1000-memory.dmpFilesize
4KB
-
memory/4372-117-0x0000000005820000-0x0000000005821000-memory.dmpFilesize
4KB
-
memory/4372-118-0x0000000005320000-0x0000000005321000-memory.dmpFilesize
4KB
-
memory/4372-119-0x0000000005320000-0x000000000581E000-memory.dmpFilesize
5.0MB
-
memory/4372-120-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/4372-121-0x0000000005300000-0x0000000005307000-memory.dmpFilesize
28KB
-
memory/4372-122-0x0000000006040000-0x0000000006041000-memory.dmpFilesize
4KB
-
memory/4372-123-0x00000000060E0000-0x0000000006138000-memory.dmpFilesize
352KB
-
memory/4528-124-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/4528-125-0x000000000043779E-mapping.dmp
-
memory/4528-130-0x00000000051B0000-0x00000000056AE000-memory.dmpFilesize
5.0MB
-
memory/4528-131-0x00000000052F0000-0x00000000052F1000-memory.dmpFilesize
4KB
-
memory/4528-132-0x0000000005E10000-0x0000000005E11000-memory.dmpFilesize
4KB