Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
-
submitted
01-12-2023 01:55
General
-
Target
37e3f1e9b099b6c47e51b9c065021f7b800da8d7ddd0fbdd346457ee11e3b8f2.exe
-
Size
715KB
-
MD5
454a619661e4d2505e3003e06e9da9f7
-
SHA1
41fe16d9df176730176486c631f9db9048692f22
-
SHA256
37e3f1e9b099b6c47e51b9c065021f7b800da8d7ddd0fbdd346457ee11e3b8f2
-
SHA512
c0f31aac14cd94682d3648c0faccb966566b1311d7678c5c1707e214d61a462dd8666211b6f1ee3d45db0dae0b9ebbb1e63069e6c63b6a2fd72deceaf20a2956
-
SSDEEP
12288:BiPiCzVYpjabepl80kXPFhZXqBXt0RvVACDN:EdpYyq7kXPFzXqBdcVbDN
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.imperialshipping.co.in - Port:
587 - Username:
[email protected] - Password:
RpF!!f)5 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect PureLogs payload 1 IoCs
-
PureLogs
PureLogs is an infostealer written in C#.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\37e3f1e9b099b6c47e51b9c065021f7b800da8d7ddd0fbdd346457ee11e3b8f2.exe"C:\Users\Admin\AppData\Local\Temp\37e3f1e9b099b6c47e51b9c065021f7b800da8d7ddd0fbdd346457ee11e3b8f2.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\37e3f1e9b099b6c47e51b9c065021f7b800da8d7ddd0fbdd346457ee11e3b8f2.exeC:\Users\Admin\AppData\Local\Temp\37e3f1e9b099b6c47e51b9c065021f7b800da8d7ddd0fbdd346457ee11e3b8f2.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
6.9MB
-
Filesize
264KB
-
Filesize
6.9MB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
264KB
-
Filesize
4KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
304KB
-
Filesize
736KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
360KB