Analysis
-
max time kernel
31s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
16/05/2023, 09:14
General
-
Target
1402.exe
-
Size
227KB
-
MD5
96806ba99e9e85d9561732521cbcb587
-
SHA1
a81b89f8dc5e21aca41b7207800d92d55ff1a67e
-
SHA256
5b405dbe70d390102eff963cd3ae7616d412c9644739ab79697b75750170f794
-
SHA512
bdae76c5226e31a1ed74808f72a76132eba5624461d9a95f9b43cb49420909dd5af621dccae80c4ce3faf3dc9e7f87e3347171438f9971f332480038d16c4ed5
-
SSDEEP
6144:fENWk3enpKUz1JOCiMOmtePGTdJRPHonewGn4:C8pKEuCipKePGT1/Xw
Score
10/10
Malware Config
Extracted
Family
agenttesla
C2
https://discord.com/api/webhooks/1082598970343305236/Wpl9RXuO_KYMIPjOB3KaQKem-Oq_QaZ3OhJgiC7UvEvJ_B230afWbPYGOxLc2PBI-Wer
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1402.exe"C:\Users\Admin\AppData\Local\Temp\1402.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\Caspol.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
256KB
-
Filesize
224KB
-
Filesize
56KB