Analysis
-
max time kernel
143s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
-
submitted
01-07-2023 01:25
General
-
Target
Quote WQ102474.pdf.exe
-
Size
662KB
-
MD5
b7e44d38cc19d4ef0855dbc73c811887
-
SHA1
1a0cfa1e28567de71e08e896b31b1a6c356fe16b
-
SHA256
a8ee0501ce8a092cc0cdbbfd3572db5c3ad505e054ffc24e4af4b6678726f850
-
SHA512
c154eadae3d0d767a82c21d97896ea1d0b302765704c1ba156ea307ebba2d34b60cfde355968342eacc6350bcc41f0d3a4807e767cea022684c8cb508f82d24d
-
SSDEEP
12288:iVp0K8s6owaL9iUdU4b2x3STOM4jsN0sPQQZ/yMUwN4T:iVp0K8s6owahiUdUQ2x3gOMDN0sPQQ9b
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
JUGCRsm9 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quote WQ102474.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Quote WQ102474.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
192KB
-
Filesize
64KB
-
Filesize
1.8MB
-
Filesize
320KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
688KB
-
Filesize
584KB
-
Filesize
5.6MB