Analysis

  • max time kernel
    144s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230621-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/06/2023, 06:56

General

  • Target

    file.exe

  • Size

    463KB

  • MD5

    1a2cfd318c11427f0ce1b0cfac83480f

  • SHA1

    4bdcf9570cb252ee93e8da3888a70d7825e65a1b

  • SHA256

    877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7

  • SHA512

    538156ee42e32fee0d0bdaf5d6e1587ff9422036d7503237498d2f613218d4ddaec3733afa0e9d224c4fb1d50032ff12c806fc72343695a74267e659b464981e

  • SSDEEP

    12288:uIFAplx5LmAFNaxAqm/OMqgcG2IWIvvwZUN9XPc8l51VGWAxX3dkcWCiFoG5:OtfNaxAqm/OMqgcG2IWIvvwZUvPc8vec

Malware Config

Extracted

Family

agenttesla

C2

https://api.telegram.org/bot6186587654:AAGCfYz_-Ywr0jS403I82r-XCvl_CsLT1L0/

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Uses the VBS compiler for execution 1 TTPs
  • Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1016
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
      2⤵
        PID:3884
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
        2⤵
          PID:3860
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
          2⤵
            PID:2300
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
            2⤵
              PID:2156
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
              2⤵
                PID:3120
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
                2⤵
                  PID:4840
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
                  2⤵
                    PID:1952
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
                    2⤵
                      PID:5096
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
                      2⤵
                        PID:964
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
                        2⤵
                          PID:1364
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
                          2⤵
                            PID:100
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                            2⤵
                            • Accesses Microsoft Outlook profiles
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of AdjustPrivilegeToken
                            • Suspicious use of SetWindowsHookEx
                            • outlook_office_path
                            • outlook_win_path
                            PID:4268

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/1016-133-0x0000027D3E4B0000-0x0000027D3E528000-memory.dmp

                          Filesize

                          480KB

                        • memory/1016-134-0x0000027D58B30000-0x0000027D58B40000-memory.dmp

                          Filesize

                          64KB

                        • memory/4268-135-0x0000000000400000-0x0000000000430000-memory.dmp

                          Filesize

                          192KB

                        • memory/4268-137-0x0000000005A80000-0x0000000006024000-memory.dmp

                          Filesize

                          5.6MB

                        • memory/4268-138-0x00000000054D0000-0x0000000005536000-memory.dmp

                          Filesize

                          408KB

                        • memory/4268-139-0x0000000005680000-0x0000000005690000-memory.dmp

                          Filesize

                          64KB

                        • memory/4268-140-0x0000000006C20000-0x0000000006C70000-memory.dmp

                          Filesize

                          320KB

                        • memory/4268-141-0x0000000006D10000-0x0000000006DA2000-memory.dmp

                          Filesize

                          584KB

                        • memory/4268-142-0x0000000006EC0000-0x0000000006ECA000-memory.dmp

                          Filesize

                          40KB

                        • memory/4268-143-0x0000000005680000-0x0000000005690000-memory.dmp

                          Filesize

                          64KB