Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 17:27
Static task
static1
Behavioral task
behavioral1
Sample
ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
Resource
win10v2004-20231127-en
General
-
Target
ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
-
Size
631KB
-
MD5
ed4b8e965a5e8a2b185f38a2dc7b5c1b
-
SHA1
4f9a24c87e5cea08769b8ba5559c755f9a8749e6
-
SHA256
ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86
-
SHA512
60c0518c3c6436889bee9dcf1cb11db8cbfbc2ca37aea8a245c1ba18537e079ed92a99a746d6a370d315daf6d7204ea7985a86da6bc827421cdc54fdf1ffe055
-
SSDEEP
12288:j45+po2oQpPwiViAQZb9EuQlbmtDaB6x/rQj0fBcuCA1YDL4o:i+pJhpPwT1ZZEuQlatDaIx/rQscuDWN
Malware Config
Extracted
agenttesla
https://discord.com/api/webhooks/1179358691389087754/yHthw4-13k_nboZGWySep8nLvTdwO_hiLUgjd1s52EzGArYfNy0GTqcuv8MADYaMkJvH
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exedescription pid process target process PID 532 set thread context of 1316 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exeede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exepid process 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe 1316 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe 1316 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exeede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exedescription pid process Token: SeDebugPrivilege 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe Token: SeDebugPrivilege 1316 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exepid process 1316 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exedescription pid process target process PID 532 wrote to memory of 4628 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe PID 532 wrote to memory of 4628 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe PID 532 wrote to memory of 4628 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe PID 532 wrote to memory of 1316 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe PID 532 wrote to memory of 1316 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe PID 532 wrote to memory of 1316 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe PID 532 wrote to memory of 1316 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe PID 532 wrote to memory of 1316 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe PID 532 wrote to memory of 1316 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe PID 532 wrote to memory of 1316 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe PID 532 wrote to memory of 1316 532 ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe"C:\Users\Admin\AppData\Local\Temp\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:532 -
C:\Users\Admin\AppData\Local\Temp\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe"C:\Users\Admin\AppData\Local\Temp\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe"2⤵PID:4628
-
C:\Users\Admin\AppData\Local\Temp\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe"C:\Users\Admin\AppData\Local\Temp\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\ede5c03ac90316dd72af13836732e0749659b483b3a400f73d57a62a4e3b7f86.exe.log
Filesize2KB
MD593d52c1bc7c38d958583ebbd3dc09cd4
SHA14c5ee6f9c9ae190c9a0cccb91fa2257ddcb8b0d5
SHA2562905f3a06dd8907ddbcbe64389cffcc8a5273d1822e25f8bea385bdd01653c76
SHA512dfc55c3247d7734c5a531fb5a3de689e8bb823e82c14ad6cab16923d50d51e03e5e86165a7d65b3059a66b67968b611368b010a6d9f755916b01ef7b67c5228e