Analysis
-
max time kernel
142s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
05/08/2023, 16:30
General
-
Target
74ffb384c8a3ac7a8ad39faac568e6ff38665af684fc7d4a0661e4f7e563a8bcexe_JC.exe
-
Size
770KB
-
MD5
4e04c16ddcd1940a7a58aaf629f5c7f8
-
SHA1
310f0d39c530cf3b1d4463eb5993e8effb253613
-
SHA256
74ffb384c8a3ac7a8ad39faac568e6ff38665af684fc7d4a0661e4f7e563a8bc
-
SHA512
03314ffb0472dd0a06c764761e442e8460a999e03487c536bcfcc521f082cd98e1f0780b4118c8559979f2b835657fef9179a41f20e2265f9f4bc91dc56cdb95
-
SSDEEP
24576:PAJ8K7G92cCo/69pppNpppppoOQpppNpppppoO:PbK692cikO7O
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail92100.maychuemail.com - Port:
587 - Username:
[email protected] - Password:
Qwerty2020Hp## - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ffb384c8a3ac7a8ad39faac568e6ff38665af684fc7d4a0661e4f7e563a8bcexe_JC.exe"C:\Users\Admin\AppData\Local\Temp\74ffb384c8a3ac7a8ad39faac568e6ff38665af684fc7d4a0661e4f7e563a8bcexe_JC.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UadVvjtvr" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7352.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\74ffb384c8a3ac7a8ad39faac568e6ff38665af684fc7d4a0661e4f7e563a8bcexe_JC.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD517573558c4e714f606f997e5157afaac
SHA113e16e9415ceef429aaf124139671ebeca09ed23
SHA256c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc
-
Filesize
1KB
MD5e4c1f70c6c861ee7d8027b0c2f75e413
SHA1b496d9c349c3c8114937a9382f685d1e69008d9e
SHA2567858f851a5833087e76ed352de5c8d82042277d86cbe29a4f2763e0ac6d8bf3e
SHA512cf389980df03dc61034c6d2950038b963d4cabd140d21e9048f511a78b86ebcc85c1295d7728d522e187e2c7b8c28c1ee20066d1a4b5ca06ee74d93300d0ddaf
-
Filesize
64KB
-
Filesize
512KB
-
Filesize
584KB
-
Filesize
792KB
-
Filesize
40KB
-
Filesize
344KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
5.6MB
-
Filesize
264KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
624KB
-
Filesize
7.7MB
-
Filesize
264KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
320KB