Analysis
-
max time kernel
175s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
08-12-2022 11:17
General
-
Target
5ecf7b57409e0684d29b08714b8c09f8.exe
-
Size
340KB
-
MD5
5ecf7b57409e0684d29b08714b8c09f8
-
SHA1
16f96d4d32722f42736b622e5783f2c22c7383a3
-
SHA256
08faf3ebd270f39ce947726573b16c022e385830676bb73edd2e7ccaf4ac1f96
-
SHA512
09ded1799a68eec113805832554c56a0cbc4f6dfd98c4e5e21337f74d36ed19964ed8a6225c5878923a20c4f74472510f2f7d8751d67e64fd2319a05dbf28aa1
-
SSDEEP
6144:CDQ2EdE8FC6gW7wYzxbCIKXt3cEhon2Xvx3C9nUh1PQBjbrbh:/bDnNwYzxFKXhhs2XvxeUh1PQhbrbh
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.leonardfood.com - Port:
587 - Username:
[email protected] - Password:
K@rimi95 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5ecf7b57409e0684d29b08714b8c09f8.exe"C:\Users\Admin\AppData\Local\Temp\5ecf7b57409e0684d29b08714b8c09f8.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell" Copy-Item 'C:\Users\Admin\AppData\Local\Temp\5ecf7b57409e0684d29b08714b8c09f8.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%Namee%'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/444-132-0x0000000000B00000-0x0000000000B5E000-memory.dmpFilesize
376KB
-
memory/444-133-0x0000000009B20000-0x0000000009BBC000-memory.dmpFilesize
624KB
-
memory/444-134-0x000000000A370000-0x000000000A914000-memory.dmpFilesize
5.6MB
-
memory/3308-140-0x0000000004F60000-0x0000000004F82000-memory.dmpFilesize
136KB
-
memory/3308-136-0x0000000002660000-0x0000000002696000-memory.dmpFilesize
216KB
-
memory/3308-139-0x0000000005300000-0x0000000005928000-memory.dmpFilesize
6.2MB
-
memory/3308-135-0x0000000000000000-mapping.dmp
-
memory/3308-141-0x0000000005100000-0x0000000005166000-memory.dmpFilesize
408KB
-
memory/3308-142-0x0000000005170000-0x00000000051D6000-memory.dmpFilesize
408KB
-
memory/3308-143-0x0000000005240000-0x000000000525E000-memory.dmpFilesize
120KB
-
memory/3308-145-0x0000000007050000-0x00000000070E6000-memory.dmpFilesize
600KB
-
memory/3308-146-0x0000000000DD0000-0x0000000000DEA000-memory.dmpFilesize
104KB
-
memory/3308-147-0x0000000006420000-0x0000000006442000-memory.dmpFilesize
136KB
-
memory/4884-137-0x0000000000000000-mapping.dmp
-
memory/4884-138-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/4884-144-0x00000000067E0000-0x0000000006830000-memory.dmpFilesize
320KB