Analysis
-
max time kernel
54s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 16:45
Static task
static1
Behavioral task
behavioral1
Sample
e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
Resource
win10v2004-20231127-en
General
-
Target
e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
-
Size
653KB
-
MD5
049e5298dee90a234db7ff0336e42361
-
SHA1
af7026ba790d977e066ca6e5f158196583127cee
-
SHA256
e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89
-
SHA512
74150316ccd7d0ea5a86c3ccfe8dfdc28bbf2c30c8f1cf4fa84cc3c148976e71c32327782db898434ccb8ac4cf66377d7778ce990a8f417e8696e536bad2327e
-
SSDEEP
12288:V45+po2DRiWedT4GE8diPROQnv0vJj6OiieLA14th+CQkcVNBpk1gP3oCWbD:g+pJUWcTJy5OQv0xmieG4T+cclqCP4Cs
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6488735902:AAFjq98r8SzTcc0BHWZQiLUk749fQ78ULos/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 69 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exedescription pid process target process PID 2168 set thread context of 3500 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe -
Suspicious behavior: EnumeratesProcesses 24 IoCs
Processes:
e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exee909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exepid process 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 3500 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe 3500 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exee909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exedescription pid process Token: SeDebugPrivilege 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe Token: SeDebugPrivilege 3500 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exedescription pid process target process PID 2168 wrote to memory of 2124 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 2124 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 2124 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3220 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3220 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3220 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 4268 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 4268 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 4268 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3500 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3500 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3500 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3500 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3500 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3500 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3500 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe PID 2168 wrote to memory of 3500 2168 e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3500 -
C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"2⤵PID:4268
-
C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"2⤵PID:3220
-
C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"C:\Users\Admin\AppData\Local\Temp\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe"2⤵PID:2124
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e909f6d833125f008ea789af8fdfb40041c2fecbca437a8f0da7e289efbebe89.exe.log
Filesize2KB
MD593d52c1bc7c38d958583ebbd3dc09cd4
SHA14c5ee6f9c9ae190c9a0cccb91fa2257ddcb8b0d5
SHA2562905f3a06dd8907ddbcbe64389cffcc8a5273d1822e25f8bea385bdd01653c76
SHA512dfc55c3247d7734c5a531fb5a3de689e8bb823e82c14ad6cab16923d50d51e03e5e86165a7d65b3059a66b67968b611368b010a6d9f755916b01ef7b67c5228e