Analysis
-
max time kernel
149s -
max time network
46s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 00:58
General
-
Target
Quotation list 202006070089_doc.exe
-
Size
438KB
-
MD5
51484024d193248a18ea77fba933144e
-
SHA1
cd47b6136ccb2a4905cda151ce4ae88b3d0648a9
-
SHA256
8aad38614627972f2d27adc9e0a998ba52c55700c37e70da79f9240ed8b3605d
-
SHA512
bd7ec7520fda27af1ec644678eebdd1c2a7eb6be24bf11c4a2f6ae5914076e4ea78f0ed37f85ffb4dca2ca4602e7c7757f7410c6bb653416fd5512f1de4b6bd1
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.anding-tw.com - Port:
587 - Username:
[email protected] - Password:
7#Sjsj*ebT+2
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
-
ReZer0 packer 1 IoCs
Detects ReZer0, a packer with multiple versions used in various campaigns.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation list 202006070089_doc.exe"C:\Users\Admin\AppData\Local\Temp\Quotation list 202006070089_doc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Quotation list 202006070089_doc.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1228-58-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1228-59-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1228-61-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1228-62-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1228-63-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1228-64-0x00000000004479FE-mapping.dmp
-
memory/1228-66-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1228-68-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1580-54-0x0000000000B60000-0x0000000000BD4000-memory.dmpFilesize
464KB
-
memory/1580-55-0x0000000076811000-0x0000000076813000-memory.dmpFilesize
8KB
-
memory/1580-56-0x0000000000550000-0x0000000000558000-memory.dmpFilesize
32KB
-
memory/1580-57-0x00000000046D0000-0x0000000004724000-memory.dmpFilesize
336KB