Analysis
-
max time kernel
126s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
-
submitted
24-07-2023 06:32
General
-
Target
1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf.exe
-
Size
1.1MB
-
MD5
f69261837f9da67ec44f9162d322b7ba
-
SHA1
953f07ea48032eab7dbfb0ba4eb27c323678694e
-
SHA256
1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf
-
SHA512
ae982649b499c4a779d304c77db55ffce2da2b5ef0618ff9b32e640edcb5e892bbd8bedfada32a51449f245a4f566bcb7e98c7e40672863dda52a3a1ec8026c7
-
SSDEEP
12288:ZuN51q9I6/kldSCGDyaod+ik4g8y3SoDOqvFR/CFFeY+qwBzn5D8:ZuN5OPW2rEloDOqvCFFdcv
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bosut.mk - Port:
587 - Username:
[email protected] - Password:
0XsKEemhd6EE
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 6 IoCs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf.exe"C:\Users\Admin\AppData\Local\Temp\1d25e50b1c8cefb11b2ecc991be88c017d2cea828110f855e031da595684ceaf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fxgSPTGiVwGP" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C15.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57dbb9bee77e32acea8f1351030ad7510
SHA1d5feb9642758a96018c332e326604b47b2868e58
SHA256f592bc45d52560308f7e1fecdd2e36a7d0d84fea32c077a518c915112115a294
SHA512fb9375b9476e1fbd13923872eda4eae3a5bbcd36f340c3d118baa1766b5c5b7eab097c97247192f8a9b5de28abe1de7480b5c8844d51d135ee7d1f33ac5a1d48
-
Filesize
1.2MB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
328KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
296KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB