Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
-
submitted
05-12-2023 03:53
General
-
Target
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe
-
Size
823KB
-
MD5
77e7f5ee129d7a0eb6a063c6700083f6
-
SHA1
3809d6d83545814b6ca32ee97de22a5d9ce43114
-
SHA256
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d
-
SHA512
5933fba201b39e8e3768b2eae316e9ab2bce27446d96b521f044a7960f7402ee2fd44c5d1f5be5ff0e8390978e836c030b3b341039e2023aace9d7f39693611e
-
SSDEEP
12288:PWcXtW8G34/uK45+po2PUabkUh88z0IvoFMY1EUcCzetvc4en1ccxfD0whVS3UeJ:634/up+pJKY3o7NHiFcrn9xfnV+bJ
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6695508500:AAHkexS5oB1E5lJkAEKZx2DzV7hRPW1U52k/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe"C:\Users\Admin\AppData\Local\Temp\18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe"C:\Users\Admin\AppData\Local\Temp\18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD50c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078
-
Filesize
624KB
-
Filesize
6.9MB
-
Filesize
504KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
96KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
848KB
-
Filesize
6.9MB
-
Filesize
5.0MB
-
Filesize
6.9MB
-
Filesize
272KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
6.9MB
-
Filesize
64KB