Analysis
-
max time kernel
171s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
07-12-2022 11:57
General
-
Target
EA-0052578-76NATIONAL-CHILE.js
-
Size
9KB
-
MD5
37e730fea347640f0f05f5a19edf27cb
-
SHA1
4a21133bf81b0eb9c0617bb0dd8c11bb60c304ef
-
SHA256
1a458d3d0c74461aa285c58dba89cde96e3640c32fb5d0a58ab4af03cd5f47ae
-
SHA512
fbe172d798a3a9b16991cac88ae61fc67a7317b4bc372a7291cbbc0f542cc347866108de7a12139cf8726b373bdbdad78099689232b763c9a87951ad1147ba8c
-
SSDEEP
192:wXagjk3BDdUvDvgOxTVFZWimckvF5nCvFCwQdMrjx0nh1WS+SYHf1BVMZQgOZEuS:wqYkRdUvD9VEiONBu5+a/tT32CQaHiP
Malware Config
Extracted
Protocol: smtp- Host:
smtp.leonardfood.com - Port:
587 - Username:
[email protected] - Password:
K@rimi95
Extracted
agenttesla
Protocol: smtp- Host:
smtp.leonardfood.com - Port:
587 - Username:
[email protected] - Password:
K@rimi95 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 4 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\EA-0052578-76NATIONAL-CHILE.js1⤵
- Blocklisted process makes network request
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\JHBHGatT.exe"C:\Users\Admin\AppData\Local\Temp\JHBHGatT.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
858KB
MD560c2ecb44642d9e51cd4b17b82358cb8
SHA18915a7b1bc4e9a0795877f1a1063dc9cdfb00f9e
SHA256559e053e4acfbcb073e2f2614d733a4ef73f778147a2c58f881a46a8bd3a88f8
SHA512cc0e3229b870faf6c25af7bebf545dbddebe2669db9eaefc74adb3569d041d54ff531cf903c721e8653de200bbbcc924b701c215fb2ae78b9a136d390d7c4b56
-
Filesize
858KB
MD560c2ecb44642d9e51cd4b17b82358cb8
SHA18915a7b1bc4e9a0795877f1a1063dc9cdfb00f9e
SHA256559e053e4acfbcb073e2f2614d733a4ef73f778147a2c58f881a46a8bd3a88f8
SHA512cc0e3229b870faf6c25af7bebf545dbddebe2669db9eaefc74adb3569d041d54ff531cf903c721e8653de200bbbcc924b701c215fb2ae78b9a136d390d7c4b56
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
232KB
-
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
320KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
-
Filesize
880KB