Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
19/05/2023, 06:40
General
-
Target
R09876556789000G.jar
-
Size
1.1MB
-
MD5
89b1c7884d5ec1bfc18142f725fde3f8
-
SHA1
e95ab3a5eca60dd08fe4703abe420a29cf357a2f
-
SHA256
b79d1da91f9a15f6bc930bd5b4bf714c016862f04052c3dd5cb79c3464e0f775
-
SHA512
1f81f2de35ad05321fc3761b601a1a82af7e64d93f5072acfbcd262a34ae8acd610a93629369963dfa35e893aae7b423030456a896d11bc965544f73aa94934f
-
SSDEEP
24576:EoOQtokLVRpJOemLmrq5OI5HR735U09kLVRpJOemLmrq5OI5HR735U0C:EjkBRpXrq5nHR779kBRpXrq5nHR77C
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.ionos.mx - Port:
587 - Username:
[email protected] - Password:
Ku77yE-Mail-1980.! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 6 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 34 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\R09876556789000G.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\9qHd.exeC:\Users\Admin\9qHd.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\9qHd.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\9qHd.exe"C:\Users\Admin\9qHd.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\9qHd.exe"C:\Users\Admin\9qHd.exe"3⤵
- Executes dropped EXE
-
-
C:\Users\Admin\9qHd.exe"C:\Users\Admin\9qHd.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\hmx6w5V.exe"C:\Users\Admin\hmx6w5V.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\hmx6w5V.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.exe'3⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\hmx6w5V.exe"C:\Users\Admin\hmx6w5V.exe"3⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
815KB
MD5d1f6fe10493bfd93348ff96d17fc74d9
SHA1f25bbe742f47d68d63b78b9e9a7bb0a75a285069
SHA2560c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322
SHA512a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806
-
Filesize
815KB
MD5d1f6fe10493bfd93348ff96d17fc74d9
SHA1f25bbe742f47d68d63b78b9e9a7bb0a75a285069
SHA2560c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322
SHA512a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806
-
Filesize
815KB
MD5d1f6fe10493bfd93348ff96d17fc74d9
SHA1f25bbe742f47d68d63b78b9e9a7bb0a75a285069
SHA2560c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322
SHA512a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806
-
Filesize
815KB
MD5d1f6fe10493bfd93348ff96d17fc74d9
SHA1f25bbe742f47d68d63b78b9e9a7bb0a75a285069
SHA2560c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322
SHA512a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806
-
Filesize
815KB
MD5d1f6fe10493bfd93348ff96d17fc74d9
SHA1f25bbe742f47d68d63b78b9e9a7bb0a75a285069
SHA2560c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322
SHA512a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
15KB
MD53c55878f77a23a052dae2e7c9b0bbdad
SHA1bf42dc0b4b911ee5e3b942649fdfd895cb0763de
SHA256d6a6bb38e1bbb1239cad3f5b806bb7507f3fdf67d44cbb1b5c0b7fb74a9b3158
SHA512a37115bf63335ba0bf902c1c1a76ea4bf57ea3bb370f4505c131a35e681bcf7f4488b8590cec7d88423aeb3362522dcc34f0e60688cdb2da485408278b571f1d
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
815KB
MD5d1f6fe10493bfd93348ff96d17fc74d9
SHA1f25bbe742f47d68d63b78b9e9a7bb0a75a285069
SHA2560c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322
SHA512a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806
-
Filesize
815KB
MD5d1f6fe10493bfd93348ff96d17fc74d9
SHA1f25bbe742f47d68d63b78b9e9a7bb0a75a285069
SHA2560c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322
SHA512a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806
-
Filesize
815KB
MD5d1f6fe10493bfd93348ff96d17fc74d9
SHA1f25bbe742f47d68d63b78b9e9a7bb0a75a285069
SHA2560c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322
SHA512a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806
-
Filesize
815KB
MD5d1f6fe10493bfd93348ff96d17fc74d9
SHA1f25bbe742f47d68d63b78b9e9a7bb0a75a285069
SHA2560c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322
SHA512a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806
-
Filesize
815KB
MD5d1f6fe10493bfd93348ff96d17fc74d9
SHA1f25bbe742f47d68d63b78b9e9a7bb0a75a285069
SHA2560c8d77c17748259273ec1465d53b38444f5102d79cdd14bd3053e3cb381d7322
SHA512a868977429b3237adbe8fa5e0ea0cf46dd4063b2fa56009d46e71507468f19d85b9fcdd7df14949f9b4f20682b5f272f70417c82c9b0b83f6acf4b8764efc806
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
136KB
-
Filesize
6.2MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
600KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
120KB
-
Filesize
104KB
-
Filesize
216KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
840KB
-
Filesize
5.6MB
-
Filesize
624KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
192KB
-
Filesize
40KB
-
Filesize
64KB