Analysis
-
max time kernel
152s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 00:00
General
-
Target
items details.exe
-
Size
611KB
-
MD5
559f91a6a1e4d850162e1f8990634f97
-
SHA1
d4afc1ae604b732bd2e3bc561565cf85d164eb4c
-
SHA256
1e84d47cbe4d2c6dad2eb7bd8702e8eed6d838311625039a0d8434953f347bb5
-
SHA512
9ffdc41553ad776b99939f118805ba32ab92cc262e11c5dedd2ac41e7e05845d3769f664d598cedadb550c2c382695604662b86e3fa276f039c2dd922f229cad
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
chikaaka1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 1 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\items details.exe"C:\Users\Admin\AppData\Local\Temp\items details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
640KB
-
Filesize
624KB
-
Filesize
584KB
-
-
Filesize
320KB
-
Filesize
5.6MB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
40KB