Analysis
-
max time kernel
150s -
max time network
50s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:38
General
-
Target
QUOTATION.r00.exe
-
Size
1.0MB
-
MD5
1fa82367e6566b2f3a6b600cad030c44
-
SHA1
59c724ad18b95c55a18c58022183c51eec572049
-
SHA256
7d5613b39d0a6e9022304e17d360d351b04fadd2cebb8e24ae203bd8eba32196
-
SHA512
d53c9502c35a313bc8c7d24022c383a2038c8180937dfd7acb990348c331d44a099f5d841147297fb7ccf31925e2707930807eef28a105e06915417a6234d6fd
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.framafilms.com - Port:
587 - Username:
[email protected] - Password:
lister11
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 31 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTATION.r00.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATION.r00.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"3⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/860-70-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/860-82-0x0000000074B50000-0x00000000750FB000-memory.dmpFilesize
5.7MB
-
memory/860-80-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/860-78-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/860-76-0x0000000000445D3E-mapping.dmp
-
memory/860-75-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/860-74-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/860-73-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/860-71-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/1192-61-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/1192-69-0x0000000074B50000-0x00000000750FB000-memory.dmpFilesize
5.7MB
-
memory/1192-67-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/1192-65-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/1192-63-0x00000000004977F6-mapping.dmp
-
memory/1192-62-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/1192-59-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/1192-57-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/1192-56-0x0000000000400000-0x00000000004D0000-memory.dmpFilesize
832KB
-
memory/1964-54-0x0000000075401000-0x0000000075403000-memory.dmpFilesize
8KB
-
memory/1964-55-0x0000000074B50000-0x00000000750FB000-memory.dmpFilesize
5.7MB