Analysis
-
max time kernel
28s -
max time network
32s -
platform
windows7_x64 -
resource
win7-20230703-en -
resource tags
-
submitted
04/07/2023, 14:07
General
-
Target
shippingdocumentsPO4thcon.exe
-
Size
488KB
-
MD5
b5790577b0b5569b7deca9fbdb7c800a
-
SHA1
b60b70ac5c3a14ba1e3cfd919050db6756711bcf
-
SHA256
2be1be21688128f7fc05cdcfab69adc794d39910af884a9e63f920e415dc1657
-
SHA512
b7efd9dae680bb3137bf68a6aabd9f3486776d9bfbf8c9ef31192bf6183685e7a7839047adb8153eaa609ea7dc5b78776ee745c699ce5579bcf2f982bf7af144
-
SSDEEP
12288:HjvBe0cK1r1Jj1dSrCLh84IBKLOsiBPHW41M5:Hte0cyj7fh84M2OHfY
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6152671361:AAFL6hvnVRgXVOmTmyt-OBqBcWIytTVfN9M/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\shippingdocumentsPO4thcon.exe"C:\Users\Admin\AppData\Local\Temp\shippingdocumentsPO4thcon.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Powershell.exe"Powershell.exe" -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\Admin\AppData\Local\Temp\shippingdocumentsPO4thcon.exe' 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\anydesk.exe.exe'2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\shippingdocumentsPO4thcon.exe"C:\Users\Admin\AppData\Local\Temp\shippingdocumentsPO4thcon.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
4KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
192KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
512KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
140KB
-
Filesize
168KB
-
Filesize
256KB
-
Filesize
480KB