Analysis
-
max time kernel
157s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 16:25
Static task
static1
Behavioral task
behavioral1
Sample
93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe
Resource
win10v2004-20220812-en
General
-
Target
93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe
-
Size
776KB
-
MD5
5f5007d479284c637ee7af9ecf085ff9
-
SHA1
b1d249b76d71b5486453ee088a30ab66398e1f74
-
SHA256
93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a
-
SHA512
899106d3a206d55ae94b2775c38c59a29db47a55e42da1bd9eae28afe3099193812a863e62d1f2a6f3afcfef7137f4c2ca0955c95f271197aae1bd502845b051
-
SSDEEP
6144:qD2v7gkRvi3Kg4B1Rj7XvlczaB2DH2wMZgIaBI72xxaT+DSmKaWMueU+JqV3pDT/:werNJSsZgVm2WCD1KtMuL+J8VSpto
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
box@alscotop.com - Password:
godisgreat
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4264-139-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
InstallUtil.exepid process 4264 InstallUtil.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exedescription pid process target process PID 1020 set thread context of 4264 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exeInstallUtil.exepid process 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe 4264 InstallUtil.exe 4264 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe Token: SeDebugPrivilege 4264 InstallUtil.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exedescription pid process target process PID 1020 wrote to memory of 4264 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe InstallUtil.exe PID 1020 wrote to memory of 4264 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe InstallUtil.exe PID 1020 wrote to memory of 4264 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe InstallUtil.exe PID 1020 wrote to memory of 4264 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe InstallUtil.exe PID 1020 wrote to memory of 4264 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe InstallUtil.exe PID 1020 wrote to memory of 4264 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe InstallUtil.exe PID 1020 wrote to memory of 4264 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe InstallUtil.exe PID 1020 wrote to memory of 4264 1020 93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe"C:\Users\Admin\AppData\Local\Temp\93caf26ccb41093ce2efaac4631c354b9a69e5da6bc71e3fa1bd84a531603b8a.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeFilesize
41KB
MD55d4073b2eb6d217c19f2b22f21bf8d57
SHA1f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA5129ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159
-
memory/1020-132-0x0000000000170000-0x0000000000238000-memory.dmpFilesize
800KB
-
memory/1020-133-0x00000000050E0000-0x0000000005684000-memory.dmpFilesize
5.6MB
-
memory/1020-134-0x0000000004B30000-0x0000000004BC2000-memory.dmpFilesize
584KB
-
memory/1020-135-0x0000000004F30000-0x0000000004FCC000-memory.dmpFilesize
624KB
-
memory/1020-136-0x00000000065A0000-0x0000000006606000-memory.dmpFilesize
408KB
-
memory/1020-137-0x00000000009E0000-0x0000000000A02000-memory.dmpFilesize
136KB
-
memory/4264-138-0x0000000000000000-mapping.dmp
-
memory/4264-139-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB