Analysis
-
max time kernel
125s -
max time network
49s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 10:15
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.tmpexe.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
NEAS.tmpexe.exe
Resource
win10v2004-20231130-en
General
-
Target
NEAS.tmpexe.exe
-
Size
644KB
-
MD5
219492f049fb6d224dc912fb1de2d515
-
SHA1
ecfbfb5a6714032f4c811601bf8146c1f580b58f
-
SHA256
6d3e0f4b400eeb388c288d1151c5051224f99497a522424f60d9cdcc63157cab
-
SHA512
7f7cf112ff91e0634728a42937051326c5810ef1fbf1b3b9e8a6847b9f34f2ebdb765e046ee4b61f6d286e75ada5cfd4db45eb876e2eb61e8ca9309844ee2878
-
SSDEEP
12288:8K361h61EWGqLia/AsN3xoiFyit3+hBSEvowv409EVjbEQ8q61:8vY7GUiasSnt3qBSE1ejbEQ8v
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.evantelamin.top - Port:
587 - Username:
[email protected] - Password:
=&8=7!eO;gm@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
NEAS.tmpexe.exedescription pid process target process PID 5096 set thread context of 4204 5096 NEAS.tmpexe.exe NEAS.tmpexe.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
NEAS.tmpexe.exepid process 4204 NEAS.tmpexe.exe 4204 NEAS.tmpexe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.tmpexe.exedescription pid process Token: SeDebugPrivilege 4204 NEAS.tmpexe.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
NEAS.tmpexe.exedescription pid process target process PID 5096 wrote to memory of 4204 5096 NEAS.tmpexe.exe NEAS.tmpexe.exe PID 5096 wrote to memory of 4204 5096 NEAS.tmpexe.exe NEAS.tmpexe.exe PID 5096 wrote to memory of 4204 5096 NEAS.tmpexe.exe NEAS.tmpexe.exe PID 5096 wrote to memory of 4204 5096 NEAS.tmpexe.exe NEAS.tmpexe.exe PID 5096 wrote to memory of 4204 5096 NEAS.tmpexe.exe NEAS.tmpexe.exe PID 5096 wrote to memory of 4204 5096 NEAS.tmpexe.exe NEAS.tmpexe.exe PID 5096 wrote to memory of 4204 5096 NEAS.tmpexe.exe NEAS.tmpexe.exe PID 5096 wrote to memory of 4204 5096 NEAS.tmpexe.exe NEAS.tmpexe.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.tmpexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.tmpexe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Users\Admin\AppData\Local\Temp\NEAS.tmpexe.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.tmpexe.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4204
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56ff66694e86562d4db460ccba25fef84
SHA11b3001464e4a2e6a2a6b1a6c4678f9f9e17ee423
SHA256d4be3875b999e267b70808f51864bfb2dbf9c05005f094308abf7fa820505d27
SHA5124a41e8541b083453870fd8c7b98528dfa0d27e718bbb39090d52728fffdcecb837cff61d5353bbc1f2248d22b1c45d639824ec4b3a0e8b04d8072011110b3555