Analysis

  • max time kernel
    49s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    30/03/2023, 13:09 UTC

General

  • Target

    New PO #23546738.exe

  • Size

    707KB

  • MD5

    80c0b9e8a00242d0fb960584d89d745e

  • SHA1

    fb6bb9c955f030eb906e532813f7c7c6102ec55e

  • SHA256

    0a8368bab522deb622eca5805bc7bc6da0d4a6a63fae959c41c22c7d0b5ffa63

  • SHA512

    539017fd581d853b9e369eea90447001b08eb816948b3ab45fc9b082cfaaf65f1bb4b3af6cefb22bb1aae3190917ef47d41ce4c1794d546c2e023b628c6d3a71

  • SSDEEP

    12288:l3B2nTxM9+/nT92EiggkPIYP1QF7MKqv27bYyywV37Zb:lSbT92E8kPT1QFJ22GwVrF

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    tashkent@ess-lnvest-trading.com
  • Password:
    olu chu kwu 554
  • Email To:
    tashkent@ess-lnvest-trading.com

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New PO #23546738.exe
    "C:\Users\Admin\AppData\Local\Temp\New PO #23546738.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1740
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YJmfGxcN" /XML "C:\Users\Admin\AppData\Local\Temp\tmp696.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1380
    • C:\Users\Admin\AppData\Local\Temp\New PO #23546738.exe
      "{path}"
      2⤵
      • Accesses Microsoft Outlook profiles
      • Suspicious use of AdjustPrivilegeToken
      • outlook_office_path
      • outlook_win_path
      PID:996

Network

  • flag-us
    DNS
    api.ipify.org
    New PO #23546738.exe
    Remote address:
    8.8.8.8:53
    Request
    api.ipify.org
    IN A
    Response
    api.ipify.org
    IN CNAME
    api4.ipify.org
    api4.ipify.org
    IN A
    104.237.62.211
    api4.ipify.org
    IN A
    64.185.227.155
    api4.ipify.org
    IN A
    173.231.16.76
  • flag-us
    GET
    https://api.ipify.org/
    New PO #23546738.exe
    Remote address:
    104.237.62.211:443
    Request
    GET / HTTP/1.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
    Host: api.ipify.org
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Content-Length: 12
    Content-Type: text/plain
    Date: Thu, 30 Mar 2023 13:09:50 GMT
    Vary: Origin
  • 104.237.62.211:443
    https://api.ipify.org/
    tls, http
    New PO #23546738.exe
    1.1kB
    7.0kB
    11
    12

    HTTP Request

    GET https://api.ipify.org/

    HTTP Response

    200
  • 8.8.8.8:53
    api.ipify.org
    dns
    New PO #23546738.exe
    59 B
    126 B
    1
    1

    DNS Request

    api.ipify.org

    DNS Response

    104.237.62.211
    64.185.227.155
    173.231.16.76

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp696.tmp

    Filesize

    1KB

    MD5

    fb515e0d9c40cf28de2021dd497bd474

    SHA1

    b22685c1061236a7f4b26080acb41399c4832373

    SHA256

    5cf344de3261990d13dda968a2138a9532bf6bd799b16caf6902bbb4f02ff138

    SHA512

    b85c3f053d4fc193eee5bf17da4616f60be3054a46a8a856f84c1cf7d6bdfa1d127ac3ae5b3332f8953bd6adaa44e5a50d66dd782974d68e70c3f3ceb2be47c6

  • memory/996-68-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/996-64-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/996-91-0x0000000004D60000-0x0000000004DA0000-memory.dmp

    Filesize

    256KB

  • memory/996-73-0x0000000004D60000-0x0000000004DA0000-memory.dmp

    Filesize

    256KB

  • memory/996-72-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/996-70-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/996-63-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/996-66-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/996-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/996-65-0x0000000000400000-0x0000000000430000-memory.dmp

    Filesize

    192KB

  • memory/1740-56-0x0000000000280000-0x000000000028C000-memory.dmp

    Filesize

    48KB

  • memory/1740-54-0x0000000000290000-0x0000000000346000-memory.dmp

    Filesize

    728KB

  • memory/1740-55-0x0000000000BC0000-0x0000000000C00000-memory.dmp

    Filesize

    256KB

  • memory/1740-59-0x0000000004750000-0x0000000004780000-memory.dmp

    Filesize

    192KB

  • memory/1740-58-0x00000000051B0000-0x000000000522C000-memory.dmp

    Filesize

    496KB

  • memory/1740-57-0x0000000000BC0000-0x0000000000C00000-memory.dmp

    Filesize

    256KB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.