Analysis
-
max time kernel
94s -
max time network
67s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
23-11-2022 15:17
General
-
Target
file.exe
-
Size
1.2MB
-
MD5
b0683925365bc31d28e77520b55a6175
-
SHA1
2ce8ad01ee917b1307eb706b33fcc7af7276612e
-
SHA256
675e5a2d1850dbf2fd2a6e99bc566e717a3b2221c7fe4c6c0ce28cd14e09f64e
-
SHA512
6272ff19d48d60a1477a5e06ac93dca854c49e9193fadd481e76419821fec68e0364e4c8991711f634e98ca990fc142efffdc8f082f7731641be41bff40fb0ad
-
SSDEEP
24576:e9ntG/qdOxaNr+TcSQwfKYQCXcgyQTEeNPDsDO:ms/qdOxaZsswSYQWPPAeNo
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
server196.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
lagos@123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1688-64-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1688-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1688-70-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1688-68-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1688-66-0x0000000000437C8E-mapping.dmp
-
memory/1688-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1688-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1688-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1752-55-0x0000000076261000-0x0000000076263000-memory.dmpFilesize
8KB
-
memory/1752-54-0x0000000000C30000-0x0000000000D62000-memory.dmpFilesize
1.2MB
-
memory/1752-59-0x0000000004A20000-0x0000000004A90000-memory.dmpFilesize
448KB
-
memory/1752-58-0x0000000006100000-0x00000000061AA000-memory.dmpFilesize
680KB
-
memory/1752-57-0x00000000004D0000-0x00000000004DC000-memory.dmpFilesize
48KB
-
memory/1752-56-0x00000000004B0000-0x00000000004C8000-memory.dmpFilesize
96KB