Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 01:46
Behavioral task
behavioral1
Sample
c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c.exe
Resource
win10v2004-20231127-en
General
-
Target
c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c.exe
-
Size
235KB
-
MD5
a7770cd05872881f3e47e8a9041748fd
-
SHA1
7606e077fdeb8dc5fbffbf428260baba4f0ba470
-
SHA256
c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c
-
SHA512
0c4a052618ca146414d688555156b1af6459bf2e0160000c73ac5f693350c683ffd1328e9d445cbfce29b5d93359da69aa48bd1dccd467c453838d631c66e4ff
-
SSDEEP
3072:X7leieCmy4aJr75o8bnPSTerhCvDiN5+mTHITR6:XZeieCmy4aJr75nbMerhWinToTR
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sturmsgroup.com - Port:
587 - Username:
[email protected] - Password:
hs_B2R1px4ASsOhR - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c.exepid process 2944 c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c.exe 2944 c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c.exedescription pid process Token: SeDebugPrivilege 2944 c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c.exe"C:\Users\Admin\AppData\Local\Temp\c5b0e9d5e70c12c5530943abf70451eadf9b9de8ddfaac4bc7234dbc580b6e5c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2944