Analysis
-
max time kernel
88s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
22/11/2022, 15:30
General
-
Target
82105269.exe
-
Size
1.0MB
-
MD5
fd4a1db355d38e4ea9152b5633c7e5d0
-
SHA1
ebbd388008a94ec8a20724ea4f6ee48bfc93e238
-
SHA256
d00755892b27ea561c12ebf3cf369c405177152a586e75614cffa92ce0eca10b
-
SHA512
bd36ef0d89b65262ad7ff350d69fb4eff7212d6a4eece2ee379d797772b88c9c85af1089c146a626dd1d7edc9f5b112b1c68af5a59f53cfd5a2434bc694f6751
-
SSDEEP
24576:P1u4PpqsaMFOxrq5h0BfrV2rCdArKPwvOBBqdO:P3PpZgq56TV2ruDnBqdO
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.jackbarber.com - Port:
587 - Username:
[email protected] - Password:
g4$bQ3T-9d - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\82105269.exe"C:\Users\Admin\AppData\Local\Temp\82105269.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mynJKXltwPj.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mynJKXltwPj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp30D4.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51ddd8c9bdc74c1cf71f65e94d2f1275a
SHA1f0e795d70fd3682c170c30a6f6ca034c15fca664
SHA256c6428b05720e959311bfb7f81a54511692b01db69b87af1ec529fe7456d3f20c
SHA5122ad00b7b28b0c125b3c92ef9314ddcdd4370bdbcfeebfb797ec1ea5eba48d597013aa85ae18be90c7a40f506f5b590c55137aaaec5490a7b4715525c9f218949
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
216KB
-
Filesize
600KB
-
Filesize
6.2MB
-
Filesize
40KB
-
Filesize
408KB
-
Filesize
136KB
-
Filesize
120KB
-
Filesize
56KB
-
Filesize
6.5MB
-
Filesize
200KB
-
Filesize
304KB
-
Filesize
240KB
-
Filesize
320KB
-
Filesize
1.1MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
40KB