Resubmissions
03-04-2023 18:17
230403-ww794aab7s 803-04-2023 18:16
230403-wwe9baab6x 1003-04-2023 14:33
230403-rwvlsafc83 10Analysis
-
max time kernel
47s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
03-04-2023 18:16
General
-
Target
DOOR-MET_23045112.exe
-
Size
658KB
-
MD5
f4a6d37fefe83f89c2f6b1f253bb9c2c
-
SHA1
58ac04dfcc1f0bbf7c41181102f9371a67cda336
-
SHA256
788e583861d0022304a8013dcf66be0e312402d6154f5a7788f1d67518583c7e
-
SHA512
37f6a03d1356aa442ddc61c230549282fa5f5ce8d3aac4792e26cbbb51f75090b0ab8a0e9139304ee6b89530662cf2ee24033573b80f8b81a27fbcf6ee220e0f
-
SSDEEP
12288:q6okzy/q4JM4Q2lQfzwcIDNEkxtdBo0hoay47DKWMH29yoNSDA:Sku/6gQMc6uqhrqW/N
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: ftp- Host:
ftp://ftp.navetesilazi.ro - Port:
21 - Username:
[email protected] - Password:
[email protected]{3EfP%b3kc4@gxAuDMO]-jKJ+CcP&U;d{f4thp)[y_^[!$Y
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 33 IoCs
-
Suspicious use of SendNotifyMessage 33 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\DOOR-MET_23045112.exe"C:\Users\Admin\AppData\Local\Temp\DOOR-MET_23045112.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/336-62-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/336-64-0x0000000002B10000-0x0000000002B20000-memory.dmpFilesize
64KB
-
memory/336-63-0x0000000140000000-0x00000001405E8000-memory.dmpFilesize
5.9MB
-
memory/740-71-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/740-70-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/740-69-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/740-68-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/740-67-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1544-58-0x0000000004DE0000-0x0000000004E20000-memory.dmpFilesize
256KB
-
memory/1544-61-0x0000000004DE0000-0x0000000004E20000-memory.dmpFilesize
256KB
-
memory/1544-60-0x0000000004DE0000-0x0000000004E20000-memory.dmpFilesize
256KB
-
memory/1544-65-0x0000000000540000-0x000000000055A000-memory.dmpFilesize
104KB
-
memory/1544-66-0x00000000004E0000-0x00000000004E6000-memory.dmpFilesize
24KB
-
memory/1544-59-0x0000000004DE0000-0x0000000004E20000-memory.dmpFilesize
256KB
-
memory/1544-54-0x0000000000FA0000-0x000000000104A000-memory.dmpFilesize
680KB
-
memory/1544-57-0x0000000000350000-0x0000000000368000-memory.dmpFilesize
96KB
-
memory/1544-56-0x0000000000410000-0x000000000045A000-memory.dmpFilesize
296KB
-
memory/1544-55-0x0000000004DE0000-0x0000000004E20000-memory.dmpFilesize
256KB