Analysis
-
max time kernel
128s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 07:17
Static task
static1
Behavioral task
behavioral1
Sample
B (3).exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
B (3).exe
Resource
win10v2004-20231127-en
General
-
Target
B (3).exe
-
Size
686KB
-
MD5
dec40a2b97404b644f142979f8b7107a
-
SHA1
45fa65b15e2f206ea917cc1877365e7fcba39731
-
SHA256
9ee7811e79cf1f1f76aadb17175227bf172b21ed84a54a53ef98a1f4695f75ba
-
SHA512
9c33d35ead9764e26a4499d88a5dcba7795205e715ca8b739b1dd4b9b071e777f2713d8bec17fe0c52e03e51952c90e2154e35d5b49d6f7b03a2b8b5341b7acb
-
SSDEEP
12288:Cn/7eVSw4/eC9J4j/Nw3ghMM7s16pqOO9fzClLg6acbV1E7lrtWYOQmbCp:Cn/yVk/eYSj1IghBpqb1zq3Pbgx
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
EwQnrCo8
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
EwQnrCo8 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
B (3).exedescription pid process target process PID 4224 set thread context of 4548 4224 B (3).exe B (3).exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
B (3).exepid process 4548 B (3).exe 4548 B (3).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
B (3).exedescription pid process Token: SeDebugPrivilege 4548 B (3).exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
B (3).exedescription pid process target process PID 4224 wrote to memory of 4548 4224 B (3).exe B (3).exe PID 4224 wrote to memory of 4548 4224 B (3).exe B (3).exe PID 4224 wrote to memory of 4548 4224 B (3).exe B (3).exe PID 4224 wrote to memory of 4548 4224 B (3).exe B (3).exe PID 4224 wrote to memory of 4548 4224 B (3).exe B (3).exe PID 4224 wrote to memory of 4548 4224 B (3).exe B (3).exe PID 4224 wrote to memory of 4548 4224 B (3).exe B (3).exe PID 4224 wrote to memory of 4548 4224 B (3).exe B (3).exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B (3).exe"C:\Users\Admin\AppData\Local\Temp\B (3).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4224 -
C:\Users\Admin\AppData\Local\Temp\B (3).exe"C:\Users\Admin\AppData\Local\Temp\B (3).exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4548
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7b9acb869ccc7f7ecb5304ec0384dee
SHA16a90751c95817903ee833d59a0abbef425a613b3
SHA2568cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4
SHA5127bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764