Analysis
-
max time kernel
113s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-04-2022 04:42
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
Resource
win10v2004-20220414-en
General
-
Target
SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
-
Size
635KB
-
MD5
a27c8ee8b37605f3c05e4eb4d614f359
-
SHA1
6a8b97217d52a752075b08207bad7d7c867a8854
-
SHA256
910a6e4138cb422bf570130f05cdb463d726c0eddb2882bdc6e42fb1daace384
-
SHA512
769fe817c1616f80672a63ad8a8464c26aa4374e569343df04feab22a3a1193eac5f7eee5fb3afaa94ed28792da492659c2b02220f0197c1b89641a0d7f9f536
Malware Config
Extracted
Protocol: ftp- Host:
ftp.unitelha.com - Port:
21 - Username:
kilop@unitelha.com - Password:
Wljp?j]gQwC?
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.unitelha.com/ - Port:
21 - Username:
kilop@unitelha.com - Password:
Wljp?j]gQwC?
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.19723.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.19723.exedescription pid process target process PID 2868 set thread context of 944 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe SecuriteInfo.com.W32.AIDetectNet.01.19723.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.19723.exeSecuriteInfo.com.W32.AIDetectNet.01.19723.exepid process 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe 944 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe 944 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.19723.exeSecuriteInfo.com.W32.AIDetectNet.01.19723.exedescription pid process Token: SeDebugPrivilege 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe Token: SeDebugPrivilege 944 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.19723.exedescription pid process target process PID 2868 wrote to memory of 944 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID 2868 wrote to memory of 944 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID 2868 wrote to memory of 944 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID 2868 wrote to memory of 944 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID 2868 wrote to memory of 944 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID 2868 wrote to memory of 944 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID 2868 wrote to memory of 944 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe SecuriteInfo.com.W32.AIDetectNet.01.19723.exe PID 2868 wrote to memory of 944 2868 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe SecuriteInfo.com.W32.AIDetectNet.01.19723.exe -
outlook_office_path 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.19723.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe -
outlook_win_path 1 IoCs
Processes:
SecuriteInfo.com.W32.AIDetectNet.01.19723.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SecuriteInfo.com.W32.AIDetectNet.01.19723.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.W32.AIDetectNet.01.19723.exe.logFilesize
2KB
MD5960db1608204cb34c7b9b2450df672c4
SHA17ca01174a0a3071a07039f6726a39d984c1009f1
SHA2562595725555bd9b12413f06eac7b936d99596ff0376002e3955c15eb8501fde1b
SHA512fb29c873d9ef3481d0a3525288ad5b366eb00e38321dd962e4c39845aaacae0f8b69c695a47417376a9f6fa04c158638ed640752c46e8f0ce7bade31e203f4d3
-
memory/944-135-0x0000000000000000-mapping.dmp
-
memory/944-136-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/944-138-0x00000000063B0000-0x0000000006400000-memory.dmpFilesize
320KB
-
memory/944-139-0x00000000068E0000-0x00000000068EA000-memory.dmpFilesize
40KB
-
memory/2868-130-0x0000000000E80000-0x0000000000F24000-memory.dmpFilesize
656KB
-
memory/2868-131-0x0000000005FB0000-0x0000000006554000-memory.dmpFilesize
5.6MB
-
memory/2868-132-0x0000000005AA0000-0x0000000005B32000-memory.dmpFilesize
584KB
-
memory/2868-133-0x0000000005DE0000-0x0000000005E7C000-memory.dmpFilesize
624KB
-
memory/2868-134-0x0000000006A20000-0x0000000006A86000-memory.dmpFilesize
408KB