Analysis
-
max time kernel
144s -
max time network
183s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
20-05-2022 23:35
General
-
Target
payment slip pdf.exe
-
Size
576KB
-
MD5
73446b4f7828240c2176f6dbac0db41e
-
SHA1
17a9f153ab2ce844a8e2ef1f21b674fdc63f827a
-
SHA256
9b8bfd519d8bbe5a7c285f61c73abef27b4e18a22076d036698ec943b5e61c01
-
SHA512
0b34eb5d9a57d4f5de8988e7f0e3abf5a58235e8e5a895cbd88aa606661a9f8182ceb96881fd2aeb2652351ec26baf51acb4350a827b802e0635af66c61a7aad
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
lFAvm@p#@z92
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
lFAvm@p#@z92
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment slip pdf.exe"C:\Users\Admin\AppData\Local\Temp\payment slip pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\payment slip pdf.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\payment slip pdf.exe.logFilesize
685B
MD564f7d1001f1b3c983776387519079574
SHA19696fb5ffd5597c12fc1ca6bcb7fe889f8cc9c2c
SHA256b7724fa480f240bb6e0131973d0f085d5fb0865677f277a2a306f4fa89c89485
SHA512bf81147d1a43290c845f788fbe633bf0ae8abff31a342b0278e525fdf65bd5294e797b3a11f375027e5b2c42d224459583d5a0e753f563d5034d4d7653d39eba
-
memory/3364-131-0x0000000000740000-0x00000000007D6000-memory.dmpFilesize
600KB
-
memory/3364-132-0x00000000056D0000-0x0000000005C74000-memory.dmpFilesize
5.6MB
-
memory/3364-133-0x00000000051C0000-0x0000000005252000-memory.dmpFilesize
584KB
-
memory/3364-134-0x0000000005F80000-0x0000000006106000-memory.dmpFilesize
1.5MB
-
memory/3364-135-0x0000000005C80000-0x0000000005D1C000-memory.dmpFilesize
624KB
-
memory/4964-140-0x0000000000000000-mapping.dmp
-
memory/5032-136-0x0000000000000000-mapping.dmp
-
memory/5032-137-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/5032-139-0x0000000005C50000-0x0000000005CB6000-memory.dmpFilesize
408KB
-
memory/5032-141-0x00000000067A0000-0x00000000067F0000-memory.dmpFilesize
320KB
-
memory/5032-142-0x0000000006980000-0x000000000698A000-memory.dmpFilesize
40KB