Analysis
-
max time kernel
140s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 10:18
Behavioral task
behavioral1
Sample
NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exe
Resource
win10v2004-20231127-en
General
-
Target
NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exe
-
Size
244KB
-
MD5
de277874a56c8fb0f3ffb20d01409ccd
-
SHA1
b248e455c969f7a2551d7e4daa515bcd68a18bdc
-
SHA256
be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177
-
SHA512
673657e129fe86e2c069aacb0604554bd21491db90de0d3b3ee1b9be035f87af4e20caa6e5a256946765929573046a171db8501e22b817c867f609e25118be68
-
SSDEEP
3072:hpOnmmuW+mYCPrJebkp9RcsB+8Ac+5yAzdskB:hp1muW+mYCjDF5hAcczek
Malware Config
Extracted
Protocol: smtp- Host:
mail.oripam.xyz - Port:
587 - Username:
[email protected] - Password:
231Father@
Extracted
agenttesla
Protocol: smtp- Host:
mail.oripam.xyz - Port:
587 - Username:
[email protected] - Password:
231Father@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exepid process 3012 NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exe 3012 NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exedescription pid process Token: SeDebugPrivilege 3012 NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exepid process 3012 NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exe"C:\Users\Admin\AppData\Local\Temp\NEAS.be64a4cf56e8ed09f83c5d5b7157cc564236a2aa0aeb970b3816c471885a7177.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012