Analysis
-
max time kernel
49s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
-
submitted
24-11-2022 12:25
General
-
Target
1919.exe
-
Size
559KB
-
MD5
205083f15a3856bc55543a1584fc5e26
-
SHA1
a6d28626b6199d5e74cd403b601971bdc94c31c8
-
SHA256
4e917ed708e6c20ca6f74372e37680aac6af8a9fc214e903ff4297438cf94261
-
SHA512
5ed7c8d21060fb03fdf32a1282b28f8160ced94e3f78facf37dc9d0b158b8e9ecf29aa5f4165cae4860730abe91c99c03218b6ac48c20de905ebbf55ea2e8a5d
-
SSDEEP
6144:bBnyiTgcabVMZhjyaBfQxPul+b5YkD50gkzYLCO9zdGb+B7oSEz2buuEJIDcc4em:YfccMmaB0uWafz+CWGKKiSuywV4YC
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5453942321:AAF6CS9julQ6K7s5pxacNALwWJ2A52D0EC4/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1919.exe"C:\Users\Admin\AppData\Local\Temp\1919.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hzhbur.exe"C:\Users\Admin\AppData\Local\Temp\hzhbur.exe" C:\Users\Admin\AppData\Local\Temp\emanbvbic.aa2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hzhbur.exe"C:\Users\Admin\AppData\Local\Temp\hzhbur.exe" C:\Users\Admin\AppData\Local\Temp\emanbvbic.aa3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD598e2bf47777a7c5dfdc63a896d62651d
SHA18f33bd57fca819c4e16de190baac86a5313fb0b4
SHA25671428c125226cfd3de47f5c29c2e04e34291e414d53d4914a75524f9bab993a2
SHA51236d3c09d38c0b6ac19e785c11ea9753cf81f2ecdf56c8a05702f340f82c4547d54055c013b5affaaba02f18857a90a4fbae5b4889b50df48efe2220caaff34d3
-
Filesize
333KB
MD5623c9c64aeb1e1588586d7b1108b5e91
SHA12d7164742f7e3cc911af7e33186ffed6a61cdab0
SHA256e1b3ec9e724ebf04a57731de83ebfb6b4739bb356923451a8eeb97bf00569580
SHA51245791164a9ef2826bd132a372ffcde3364713fc94f56abfe1dcbe87035feaa0d28846e42ff7b9e6e6d01d7679d75822c7ae8329533b65a35309d4df7c60f139b
-
Filesize
333KB
MD5623c9c64aeb1e1588586d7b1108b5e91
SHA12d7164742f7e3cc911af7e33186ffed6a61cdab0
SHA256e1b3ec9e724ebf04a57731de83ebfb6b4739bb356923451a8eeb97bf00569580
SHA51245791164a9ef2826bd132a372ffcde3364713fc94f56abfe1dcbe87035feaa0d28846e42ff7b9e6e6d01d7679d75822c7ae8329533b65a35309d4df7c60f139b
-
Filesize
333KB
MD5623c9c64aeb1e1588586d7b1108b5e91
SHA12d7164742f7e3cc911af7e33186ffed6a61cdab0
SHA256e1b3ec9e724ebf04a57731de83ebfb6b4739bb356923451a8eeb97bf00569580
SHA51245791164a9ef2826bd132a372ffcde3364713fc94f56abfe1dcbe87035feaa0d28846e42ff7b9e6e6d01d7679d75822c7ae8329533b65a35309d4df7c60f139b
-
Filesize
296KB
MD5a6c1f4366a2a4e89180ba3122f9925e3
SHA1fb768860326b67a5e9acafb886e81a69985aefcb
SHA25641b673b0d641aa13d712ab7622d6797b02ae2e61b8eef99a779e0ad11398e5d7
SHA51246bae34b71fa083a8d4a3c31ae93e3f9daa56c5ae265bfbbb9650a8d7f4ba24da532738e5f3cfdd39ccdda3cf172190472048b7d3a28736f00965fd5492bea91
-
Filesize
333KB
MD5623c9c64aeb1e1588586d7b1108b5e91
SHA12d7164742f7e3cc911af7e33186ffed6a61cdab0
SHA256e1b3ec9e724ebf04a57731de83ebfb6b4739bb356923451a8eeb97bf00569580
SHA51245791164a9ef2826bd132a372ffcde3364713fc94f56abfe1dcbe87035feaa0d28846e42ff7b9e6e6d01d7679d75822c7ae8329533b65a35309d4df7c60f139b
-
Filesize
333KB
MD5623c9c64aeb1e1588586d7b1108b5e91
SHA12d7164742f7e3cc911af7e33186ffed6a61cdab0
SHA256e1b3ec9e724ebf04a57731de83ebfb6b4739bb356923451a8eeb97bf00569580
SHA51245791164a9ef2826bd132a372ffcde3364713fc94f56abfe1dcbe87035feaa0d28846e42ff7b9e6e6d01d7679d75822c7ae8329533b65a35309d4df7c60f139b
-
-
Filesize
312KB
-
Filesize
240KB
-
Filesize
8KB
-