Analysis
-
max time kernel
135s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
31-03-2023 01:26
Static task
static1
Behavioral task
behavioral1
Sample
5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
Resource
win10v2004-20230220-en
General
-
Target
5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe
-
Size
1.1MB
-
MD5
5b1f4e2b1ae240311980d2f6186cf88e
-
SHA1
36e0e9c15f9d21c9ecbd40ac3bdf03ab34245c82
-
SHA256
5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1
-
SHA512
42db37dbf80ce648f72e7afcb8be38b9c81c30e366531d913b9e690c69312d551ef217e343a8810e1c024124cc516df9108ecb299533357ad818e20bd1ab2162
-
SSDEEP
12288:zWHNC1Q/rusz7NxS+Q7+GvwP2FAihZ+YBtskhYT75geR5Of6oAGGomaJQWRu125X:sLGHK5EGjtWo1raPMVu
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mibmglobal.com - Port:
587 - Username:
kavita@mibmglobal.com - Password:
mibmg3010! - Email To:
davidsurly1@gmail.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exedescription pid process target process PID 2036 set thread context of 2104 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exepid process 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe Token: SeDebugPrivilege 2104 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exedescription pid process target process PID 2036 wrote to memory of 3816 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInUtil.exe PID 2036 wrote to memory of 3816 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInUtil.exe PID 2036 wrote to memory of 1944 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe jsc.exe PID 2036 wrote to memory of 1944 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe jsc.exe PID 2036 wrote to memory of 1944 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe jsc.exe PID 2036 wrote to memory of 372 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe cvtres.exe PID 2036 wrote to memory of 372 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe cvtres.exe PID 2036 wrote to memory of 4112 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe aspnet_regbrowsers.exe PID 2036 wrote to memory of 4112 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe aspnet_regbrowsers.exe PID 2036 wrote to memory of 1876 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe ngentask.exe PID 2036 wrote to memory of 1876 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe ngentask.exe PID 2036 wrote to memory of 2872 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe MSBuild.exe PID 2036 wrote to memory of 2872 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe MSBuild.exe PID 2036 wrote to memory of 2056 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe EdmGen.exe PID 2036 wrote to memory of 2056 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe EdmGen.exe PID 2036 wrote to memory of 2252 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe RegAsm.exe PID 2036 wrote to memory of 2252 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe RegAsm.exe PID 2036 wrote to memory of 2180 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe dfsvc.exe PID 2036 wrote to memory of 2180 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe dfsvc.exe PID 2036 wrote to memory of 2124 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe SMSvcHost.exe PID 2036 wrote to memory of 2124 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe SMSvcHost.exe PID 2036 wrote to memory of 3808 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe DataSvcUtil.exe PID 2036 wrote to memory of 3808 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe DataSvcUtil.exe PID 2036 wrote to memory of 2104 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInProcess32.exe PID 2036 wrote to memory of 2104 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInProcess32.exe PID 2036 wrote to memory of 2104 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInProcess32.exe PID 2036 wrote to memory of 2104 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInProcess32.exe PID 2036 wrote to memory of 2104 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInProcess32.exe PID 2036 wrote to memory of 2104 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInProcess32.exe PID 2036 wrote to memory of 2104 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInProcess32.exe PID 2036 wrote to memory of 2104 2036 5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe AddInProcess32.exe -
outlook_office_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe -
outlook_win_path 1 IoCs
Processes:
AddInProcess32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe"C:\Users\Admin\AppData\Local\Temp\5da1b3537b33feef0da4adcc435e682b875de40a6e3ce1024a6c5e483bda8ff1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2036-133-0x000001DCB1D80000-0x000001DCB1EA6000-memory.dmpFilesize
1.1MB
-
memory/2036-134-0x000001DCCD670000-0x000001DCCD680000-memory.dmpFilesize
64KB
-
memory/2104-135-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/2104-137-0x00000000054C0000-0x0000000005A64000-memory.dmpFilesize
5.6MB
-
memory/2104-138-0x0000000004F10000-0x0000000004F76000-memory.dmpFilesize
408KB
-
memory/2104-139-0x0000000004FA0000-0x0000000004FB0000-memory.dmpFilesize
64KB
-
memory/2104-140-0x0000000006060000-0x00000000060F2000-memory.dmpFilesize
584KB
-
memory/2104-141-0x0000000006100000-0x000000000610A000-memory.dmpFilesize
40KB
-
memory/2104-142-0x0000000006240000-0x0000000006290000-memory.dmpFilesize
320KB
-
memory/2104-143-0x0000000006460000-0x0000000006622000-memory.dmpFilesize
1.8MB
-
memory/2104-144-0x0000000004FA0000-0x0000000004FB0000-memory.dmpFilesize
64KB