Analysis
-
max time kernel
67s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 18:49
General
-
Target
Statement Account - MAY 2020-pdf.exe
-
Size
731KB
-
MD5
14e646718d29dde7c8643ff5d07f9311
-
SHA1
511ee82c3f4535389d5f62f89d2e1419709f27aa
-
SHA256
33fefd2ae3ff75bcae6718f2abbc99bc7ca047a4543c5420883eb39e1128e9e5
-
SHA512
65e3dab2b088bd106adda6c1ded885928d8825d00295524329f703c7617e41cedb7926fe355363229c4176d49f35ef473563ddf775aa219fc8f7d7868b1ae9fb
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.hitechnocrats.com - Port:
587 - Username:
accounts@hitechnocrats.com - Password:
tnbJ_YL&GmP}
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
-
Drops startup file 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Statement Account - MAY 2020-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Statement Account - MAY 2020-pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exe"C:\Windows\system32\notepad.exe"2⤵
- Drops startup file
-
C:\Users\Admin\AppData\Local\Temp\Statement Account - MAY 2020-pdf.exe"C:\Users\Admin\AppData\Local\Temp\Statement Account - MAY 2020-pdf.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/324-60-0x00000000004B0000-0x0000000000502000-memory.dmpFilesize
328KB
-
memory/324-58-0x00000000004B0000-0x0000000000502000-memory.dmpFilesize
328KB
-
memory/324-57-0x00000000004AE080-mapping.dmp
-
memory/324-62-0x0000000074390000-0x000000007493B000-memory.dmpFilesize
5.7MB
-
memory/1100-63-0x0000000000000000-mapping.dmp
-
memory/1464-55-0x0000000000000000-mapping.dmp
-
memory/1668-54-0x0000000075EF1000-0x0000000075EF3000-memory.dmpFilesize
8KB
-
memory/1668-59-0x0000000000400000-0x00000000004BD000-memory.dmpFilesize
756KB