Analysis
-
max time kernel
208s -
max time network
247s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
-
submitted
01/05/2023, 20:14
General
-
Target
vbc.exe
-
Size
677KB
-
MD5
3050dad5399374e22b0f70c92c58be91
-
SHA1
55deeefcb19f2584248deaa0c7a53fc8fbcb55d7
-
SHA256
5988d11b83423cfd48d121732e165533443e8a5186bc83ff79659608c358559a
-
SHA512
d7b3c9a600b4d58e70de26ac36b9bce61364045ef75a5fb61706c15e58fbd7e3002897ee69d625a051fc29dc35ecd82a268c7f8c45e2436575fc7c37fb693182
-
SSDEEP
12288:y2TlEYAcN8pPgOJwCCvfXsJH3LzVkib6RzNOU5qNV+:NzGYOJwCCnXIWDhqNo
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
kV$bSqJ1 daniel - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detects Redline Stealer samples 2 IoCs
This rule detects the presence of Redline Stealer samples based on their unique strings.
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"C:\Users\Admin\AppData\Local\Temp\vbc.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\XHdAzTo" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9788.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\vbc.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
1KB
MD5deb6bd970bb8f4e06c6e28c2033121e1
SHA1085e05d0e8d73a0c2793df56709224bed89fc137
SHA256dd9f2cbde64248dca86d47b801b983eeb59de42310cd713691100bb76592594d
SHA5120c9a622e6627b8db4898216ba53c010779fea53482ec990bd42c9634bc96504cc57375a1a0a4f2637b317a2e59ee92d9df0eca8b3684fe0c62035c0c88d67bf9
-
Filesize
408KB
-
Filesize
192KB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
704KB
-
Filesize
584KB
-
Filesize
344KB
-
Filesize
40KB