Analysis
-
max time kernel
134s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
30-03-2023 12:07
General
-
Target
shipment 04629673893.exe
-
Size
743KB
-
MD5
4865f16a685bc3b34a91f595247f30e7
-
SHA1
c9e898e4c7c9026f0fded242d499ddb61b69a639
-
SHA256
64b6ea060734356b1932cbe5f252ba9fb6169717a0ab7dd9063b3ee19c71b057
-
SHA512
db1f449a2983bcaee04aa66852d94190ad02482c9944b0d13134cdb82379d6a86721d5412903090450ce0b4ec8e5e9a629cad321b76a2a762d6bc7f548ebd864
-
SSDEEP
12288:Qt1esNS+7GrRybegXjup/inqt0qKmwRZ5J+:ri7GrRyKTNh0awr5Y
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5970985875:AAGxcS7riy4ZlEmFj2Z031AsUoRvment2iI/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shipment 04629673893.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shipment 04629673893.exe.logFilesize
412B
MD5e72888b5960716cf170f3e1becd14370
SHA10aeefd2d4a7948a03aad625ca86fc34d79adf248
SHA2568317f594f74040b50e1b88f4aba5e6da3423bf47fe91df59e6e85f37b1f7e0ab
SHA5129cdfda6fc4f324dfd8d53b46610114252431a5d26296a6f3d606b8ffeef172263fbde9ce0a1b2b9232dabcdabd33d6677e9a5f7693b175f24cea622c31b5c6b7
-
memory/824-143-0x0000000006DA0000-0x0000000006DF0000-memory.dmpFilesize
320KB
-
memory/824-137-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/824-140-0x0000000005B80000-0x0000000006124000-memory.dmpFilesize
5.6MB
-
memory/824-141-0x00000000056B0000-0x00000000056C0000-memory.dmpFilesize
64KB
-
memory/824-142-0x00000000062F0000-0x0000000006356000-memory.dmpFilesize
408KB
-
memory/824-147-0x0000000006F70000-0x0000000006F7A000-memory.dmpFilesize
40KB
-
memory/824-148-0x00000000056B0000-0x00000000056C0000-memory.dmpFilesize
64KB
-
memory/824-149-0x00000000056B0000-0x00000000056C0000-memory.dmpFilesize
64KB
-
memory/824-150-0x00000000056B0000-0x00000000056C0000-memory.dmpFilesize
64KB
-
memory/4432-135-0x00000000056F0000-0x0000000005782000-memory.dmpFilesize
584KB
-
memory/4432-136-0x0000000005900000-0x0000000005910000-memory.dmpFilesize
64KB
-
memory/4432-134-0x0000000005650000-0x00000000056EC000-memory.dmpFilesize
624KB
-
memory/4432-133-0x0000000000BC0000-0x0000000000C80000-memory.dmpFilesize
768KB