Analysis
-
max time kernel
58s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
30-03-2023 12:07
General
-
Target
shipment 04629673893.exe
-
Size
743KB
-
MD5
4865f16a685bc3b34a91f595247f30e7
-
SHA1
c9e898e4c7c9026f0fded242d499ddb61b69a639
-
SHA256
64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057
-
SHA512
db1f449a2983bcaee04aa66852d94190ad02482c9944b0d13134cdb82379d6a86721d5412903090450ce0b4ec8e5e9a629cad321b76a2a762d6bc7f548ebd864
-
SSDEEP
12288:Qt1esNS+7GrRybegXjup/inqt0qKmwRZ5J+:ri7GrRyKTNh0awr5Y
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5970985875:AAGxcS7riy4ZlEmFj2Z031AsUoRvment2iI/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1100-61-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-91-0x0000000004E40000-0x0000000004E80000-memory.dmpFilesize
256KB
-
memory/1100-90-0x0000000004E40000-0x0000000004E80000-memory.dmpFilesize
256KB
-
memory/1100-89-0x0000000004E40000-0x0000000004E80000-memory.dmpFilesize
256KB
-
memory/1100-59-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-68-0x0000000004E40000-0x0000000004E80000-memory.dmpFilesize
256KB
-
memory/1100-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-58-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1100-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1100-67-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1720-55-0x0000000000280000-0x000000000028C000-memory.dmpFilesize
48KB
-
memory/1720-54-0x0000000000AC0000-0x0000000000B80000-memory.dmpFilesize
768KB
-
memory/1720-57-0x0000000000530000-0x000000000056C000-memory.dmpFilesize
240KB
-
memory/1720-56-0x0000000004D40000-0x0000000004DBA000-memory.dmpFilesize
488KB