Analysis

  • max time kernel
    168s
  • max time network
    188s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    01-07-2022 03:22

General

  • Target

    608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe

  • Size

    775KB

  • MD5

    7f4df8a2ce1ae2c87509a7554a8a2312

  • SHA1

    144f7be59e7d0ab494fe7b034cd263f32c332db4

  • SHA256

    608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f

  • SHA512

    42bdd96d520ce3647481cce844240d26e8d07d504946540ffda93dbfe95e22bcf65601e45b424cb0eaa2197d1bc8ad29c91bc97fb5884f0651df528c53878c17

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.vitiren.website
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    R_(^!h,UT{s5

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Drops startup file 1 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe
    "C:\Users\Admin\AppData\Local\Temp\608084b2ea7f4924d400a9e199db1a894fa0935a4828cfa6d3eb8ac93a2a376f.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PugRIiJsVbzDZNOwma5.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PugRIiJsVbzDZNOwma5.exe
      2⤵
      • Executes dropped EXE
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:3004
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ke2bw05r\ke2bw05r.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4036
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF784.tmp" "c:\Users\Admin\AppData\Local\Temp\ke2bw05r\CSCCE825AEF9FBF4FA0A25CE8B070D91154.TMP"
          4⤵
            PID:2688
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yz2oiji3\yz2oiji3.cmdline"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3316
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF968.tmp" "c:\Users\Admin\AppData\Local\Temp\yz2oiji3\CSC34921F2B3D05491F8DE1A0A95F3EC97D.TMP"
            4⤵
              PID:4368
          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
            3⤵
            • Accesses Microsoft Outlook profiles
            • Adds Run key to start application
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of SetWindowsHookEx
            • outlook_office_path
            • outlook_win_path
            PID:4684

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PugRIiJsVbzDZNOwm

        Filesize

        1.2MB

        MD5

        b7a0753eb703280b32f91ecc43876c6c

        SHA1

        23790c26bcebd35b1b2d7a1a0063125cccd17b02

        SHA256

        a9a52c886354f8e04c8312967a3a5c9d62ff2c47159ddc97e25de1bf68880b48

        SHA512

        03ff88d00f866e9fd1a6eff1388a2164d1b266af7836e81cb2cfe93efead71591af7f4262cf1136fbd7ad1ebbed34596370ee6f6717a8823be762431cca70f42

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PugRIiJsVbzDZNOwma5.exe

        Filesize

        458KB

        MD5

        b1ef6ee05be3b15ef1e75a17f1d6cc75

        SHA1

        654f5c69b227baa54aac9e2d6183d4ec8a9561a5

        SHA256

        5d8452a8703c4d3fff072c5ea498adadc003347c3c367bee401cbf59046307a1

        SHA512

        7851dac89d32071d40f8028906a70c3903fc94d656ecd71f5100dcd90e98b9ada8f8c669255702a7e7a8dea46abf5c60b882e5e2041ae14666be56a5b2f5f1f6

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\PugRIiJsVbzDZNOwma5.exe

        Filesize

        458KB

        MD5

        b1ef6ee05be3b15ef1e75a17f1d6cc75

        SHA1

        654f5c69b227baa54aac9e2d6183d4ec8a9561a5

        SHA256

        5d8452a8703c4d3fff072c5ea498adadc003347c3c367bee401cbf59046307a1

        SHA512

        7851dac89d32071d40f8028906a70c3903fc94d656ecd71f5100dcd90e98b9ada8f8c669255702a7e7a8dea46abf5c60b882e5e2041ae14666be56a5b2f5f1f6

      • C:\Users\Admin\AppData\Local\Temp\RESF784.tmp

        Filesize

        1KB

        MD5

        940e989546ce5c299d795038f50e7c9b

        SHA1

        7e92e307dea245b534f057df67629ab08c67b09a

        SHA256

        3711c726512d7a185269ac80da4318e20e5e4cf396f47d58b036d5e40799d2d6

        SHA512

        f4c99a49f5901cc9e8155e447f36d1a0ed4f510367e2af0497a586a7cb9c0bff8871d9ad78efa871a788f7a1514bbd4356d869637cc9cf48220ef879ebf68f8a

      • C:\Users\Admin\AppData\Local\Temp\RESF968.tmp

        Filesize

        1KB

        MD5

        b08556493d6bba9ca38af0c97537d381

        SHA1

        3d30c8c2524f247ebc3aea36f9d6b2a7b5e102d8

        SHA256

        db4c0d3a2355eabc06f347d2548d664495440104e998fa3183e3da8102ac1b6e

        SHA512

        716fc1cd1441529eb2887c052282b2d004ce101b01194273d1df3a2409d03855b9e5f47727b2ea24e69f147530b50762bde54735d3e42eb4877d1926a7aef51b

      • C:\Users\Admin\AppData\Local\Temp\ke2bw05r\ke2bw05r.dll

        Filesize

        846KB

        MD5

        2c191051a6cba588ca7a279ef95f645a

        SHA1

        2b2b5517f62bf60b91f357e5d6381952d3542dee

        SHA256

        165def7bbfb8e631cdd21501a7354e6210bf94f70d42fd08d46578187c7d977a

        SHA512

        71aa928b82cd216a37939fe38c0e89ae2a77dbce4ab73c4b3c572081d2b81015d1ee797acc9546333b102c5a3546070647050c33d349d0511209ebce5d5421b5

      • C:\Users\Admin\AppData\Local\Temp\yz2oiji3\yz2oiji3.dll

        Filesize

        846KB

        MD5

        00be6d926634d91715ca1afeee9c333c

        SHA1

        95c972ee8546f87adc432d744e8fd3ff9ab5a657

        SHA256

        88fbe14184de94c616f1f04e9ad87a4b2d1fc58da038da91c492ff371f926f8d

        SHA512

        f56645300d441314e187f665b82f339c8694160b4adad2d6a0339b78725055a01c9e37b4d69802a298f736d75a3250e398c65d370696017e4e58cd85306ae522

      • \??\c:\Users\Admin\AppData\Local\Temp\ke2bw05r\CSCCE825AEF9FBF4FA0A25CE8B070D91154.TMP

        Filesize

        652B

        MD5

        407aefeeefbbdabcb90229bec9b940f5

        SHA1

        ef817acf6b42cec2a35421ac2295619f65652eb9

        SHA256

        27a080e50e0057d6e316a098d7171b3f570dffc4e03cb0820dc85777a8b242d4

        SHA512

        75e2f46e7a40f52b20389c563a7d021e187fccb99cb3b27af52d1bddfbe80adc10b33b7743270e41bd3e9a153575a0bd6d3cb79079bf297a04423e84f3ac0736

      • \??\c:\Users\Admin\AppData\Local\Temp\ke2bw05r\ke2bw05r.0.cs

        Filesize

        1.2MB

        MD5

        975bfacb6caaf9b0842b1e053a649409

        SHA1

        cb32bc9be9ddbb0fd1933eeb18c8b09a498db977

        SHA256

        905d4ad1818508174b7213757a53b413d443875fdd6491d6db4f57d56bdcddc4

        SHA512

        33045de9fbb355c654b5e5127977d1504ecf56c32698f7c19ad446cde65162560e3227feb729cc424d4a211b9ddfa3de75de12722953ae1c3edd512e44a1ac12

      • \??\c:\Users\Admin\AppData\Local\Temp\ke2bw05r\ke2bw05r.cmdline

        Filesize

        302B

        MD5

        e0da43b4e4d86387ef5616ebbb5b4d34

        SHA1

        918f09bfb174f0afad8a5c81e220ebcc34c0dc5c

        SHA256

        50628f23984dfb66ad2d2797ff5f7bce8093cece188bf9403b6c98bf67653e08

        SHA512

        e410b831151770e174a87d0cbf951c4273962b4d4d7d4c464191734f93348d8f6d7d35216b2fc8bdd3532cb940e70bb93631ff3bab2ec9109196385be60cedee

      • \??\c:\Users\Admin\AppData\Local\Temp\yz2oiji3\CSC34921F2B3D05491F8DE1A0A95F3EC97D.TMP

        Filesize

        652B

        MD5

        3c0c7a9ff25de3544bb65e9cd57abb16

        SHA1

        4feefa3686af0530b2f9d52d1b1223f4551dced1

        SHA256

        2cd10e0d316b4d7285d08898bd10ebf617129b9923e0a9d9f3ec5ce7bcbda7a1

        SHA512

        36a037f58b7b84211a8727de5ac0316723e93dbde140dd0d1a77209fd77ab79b2e3670e3f1f1b882b453416ba52a4b2fe2f14eed6bda2377930734893226e2a1

      • \??\c:\Users\Admin\AppData\Local\Temp\yz2oiji3\yz2oiji3.0.cs

        Filesize

        1.2MB

        MD5

        975bfacb6caaf9b0842b1e053a649409

        SHA1

        cb32bc9be9ddbb0fd1933eeb18c8b09a498db977

        SHA256

        905d4ad1818508174b7213757a53b413d443875fdd6491d6db4f57d56bdcddc4

        SHA512

        33045de9fbb355c654b5e5127977d1504ecf56c32698f7c19ad446cde65162560e3227feb729cc424d4a211b9ddfa3de75de12722953ae1c3edd512e44a1ac12

      • \??\c:\Users\Admin\AppData\Local\Temp\yz2oiji3\yz2oiji3.cmdline

        Filesize

        302B

        MD5

        00081b2006e0ee8017a87f31ed2e92c9

        SHA1

        70fae5b16040d6da66a3bf22959d57fcf0132a6d

        SHA256

        4ebf1531ab4900f49505215a75193569a42da80822698ea09077bd5c3e316632

        SHA512

        0bbabf4bf20589f51a2c5c6469755e4b341e0178a3c9f11115f44c3322fbbae3d62eab824365371b71d8cc769c2f88fe837564db8649f0baa20e6abfa28d473b

      • memory/2688-138-0x0000000000000000-mapping.dmp

      • memory/3004-133-0x0000000000B10000-0x0000000000B88000-memory.dmp

        Filesize

        480KB

      • memory/3004-130-0x0000000000000000-mapping.dmp

      • memory/3004-150-0x0000000005580000-0x0000000005583000-memory.dmp

        Filesize

        12KB

      • memory/3316-142-0x0000000000000000-mapping.dmp

      • memory/4036-135-0x0000000000000000-mapping.dmp

      • memory/4368-145-0x0000000000000000-mapping.dmp

      • memory/4684-149-0x0000000000000000-mapping.dmp

      • memory/4684-151-0x0000000000400000-0x000000000044E000-memory.dmp

        Filesize

        312KB

      • memory/4684-152-0x0000000005E90000-0x0000000006434000-memory.dmp

        Filesize

        5.6MB

      • memory/4684-153-0x0000000005760000-0x00000000057F2000-memory.dmp

        Filesize

        584KB

      • memory/4684-154-0x00000000058E0000-0x000000000597C000-memory.dmp

        Filesize

        624KB

      • memory/4684-155-0x0000000006440000-0x00000000064A6000-memory.dmp

        Filesize

        408KB

      • memory/4684-156-0x0000000006C30000-0x0000000006C3A000-memory.dmp

        Filesize

        40KB