Analysis
-
max time kernel
128s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
21-05-2022 10:35
General
-
Target
OVER DUE INVOICES 154084.exe
-
Size
614KB
-
MD5
95a1528c17e3895f2ef124f2efc48761
-
SHA1
8cafe7112ade6208656219883772a5f9a9767203
-
SHA256
20aade0372aaf34564a83fbe0677e52f11b22196396975150393578c8e1e6a5d
-
SHA512
982eab0f1f61e184a7acb24ac5dcfef998d4556e19c2431d9239f93736e79f8fb8172b9cb7a53a61c87f3279469123d31c342e0f7c087c96d807813d6003a836
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
bigboy5570@@@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\OVER DUE INVOICES 154084.exe"C:\Users\Admin\AppData\Local\Temp\OVER DUE INVOICES 154084.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.ExE"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.ExE"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3968-132-0x0000000000000000-mapping.dmp
-
memory/3968-133-0x0000000000400000-0x000000000044A000-memory.dmpFilesize
296KB
-
memory/3968-134-0x0000000074850000-0x0000000074E01000-memory.dmpFilesize
5.7MB