Analysis
-
max time kernel
133s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 05:59
General
-
Target
Rfq clarifications.exe
-
Size
25KB
-
MD5
bc48ec658d3ae45d8eaf52b6f1ab75fd
-
SHA1
6af36a0768884ad9fd39507911d824d1dc2963db
-
SHA256
3c42490be13ea791feda53e89f19abc2c4326cc581e9f7fb4040340e38b5a7c6
-
SHA512
76a034e57bb0d6c7159853b1ed78d374b57d55f14d464e49ece07f3e73633bc51eb07b65b708d5288cecfef17d3e6a25706cb2fd00bda0ae4465bb41472a3178
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.modernsystemsco.com - Port:
587 - Username:
[email protected] - Password:
Base@2222$
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.modernsystemsco.com - Port:
587 - Username:
[email protected] - Password:
Base@2222$ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
suricata: ET MALWARE AgentTesla Exfil Via SMTP
suricata: ET MALWARE AgentTesla Exfil Via SMTP
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Delays execution with timeout.exe 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Rfq clarifications.exe"C:\Users\Admin\AppData\Local\Temp\Rfq clarifications.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout 302⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 303⤵
- Delays execution with timeout.exe
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
48KB
-
-
Filesize
232KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
584KB
-
Filesize
40KB
-