Analysis
-
max time kernel
140s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
-
submitted
19-07-2023 10:41
General
-
Target
Oferta OFER30052023 NTV.exe
-
Size
612KB
-
MD5
93df36476069ba35847c30ad26d05880
-
SHA1
2d4b1ec873a68e489128bfe0b345e26d3601bc85
-
SHA256
0422c9546bd72399494b2f89026d1bccb6ce039e76d4df745d11e8d29d298b77
-
SHA512
2b5cdbd2ff55b9bc823ca0c3c1de94fb6fa36b01d2fbaa8b9de2cd23f3aa32b7b1fb733dc12467c51f082eb2563be379f96776553a0d545f41f096a974c32071
-
SSDEEP
12288:WmAY2kcdbL4Efqb7lsHgUtOrRu+Tjp4MT1ociOl1Rx4zxOn/olpbKOa:fN6GEfqKHgUt4vjp4ali2uQKpbb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.securipro.com.my - Port:
587 - Username:
[email protected] - Password:
Smail*789* - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 17 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Oferta OFER30052023 NTV.exe"C:\Users\Admin\AppData\Local\Temp\Oferta OFER30052023 NTV.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ZaLLxAVzuZ.exe"2⤵
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZaLLxAVzuZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp54F1.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\Oferta OFER30052023 NTV.exe"C:\Users\Admin\AppData\Local\Temp\Oferta OFER30052023 NTV.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Oferta OFER30052023 NTV.exe"C:\Users\Admin\AppData\Local\Temp\Oferta OFER30052023 NTV.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f137da9c04d7bc244fb1dca166321e40
SHA1ac7f2435edbe24a50a6adcc0f75937bca37619ea
SHA25680dc5da372f0b09416b1c148f488f4e0d93bad004466ee4701f01a544492974b
SHA512aead1b6ade8338bd61eb640ca9e9da0f5c2014f00af19ee8d0d3d7cc5a4e444ab65826806fab4432552d2c07c67840a3d46324dca7f74d3903625c856d071e39
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
632KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
408KB
-
Filesize
64KB
-
Filesize
320KB
-
Filesize
1.8MB
-
Filesize
7.7MB
-
Filesize
192KB