Analysis
-
max time kernel
25s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 16:49
Static task
static1
Behavioral task
behavioral1
Sample
FedExReceiptAWB85021012746.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
FedExReceiptAWB85021012746.exe
Resource
win10v2004-20231127-en
General
-
Target
FedExReceiptAWB85021012746.exe
-
Size
694KB
-
MD5
ad35ef5346336bb9b2e0eedab376af8a
-
SHA1
5ead65c1717d8fb67de14013f42be25729838d14
-
SHA256
8a1aea514b658161770c47e07c649ee007937805cb5039bc90904bb85783dbff
-
SHA512
9bd5fe22878b0b9ddf55109bb2cf2e359d2aacd93ec0fc1d0d1701796316c176705e91bd89b7590122fd0201ff6211235f3d1d68cbfb7f8948328711dd19d1b7
-
SSDEEP
12288:Hl5nF8oVdqrlb9T5b+XKDl8lVBTMnd8fd/cqSbF5h/Lgse6q5g8goLg1vh3QjjyB:HlhqhbN5bWtJMn2dE5eh6qNLRjyFr
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
nl10.nlkoddos.com - Port:
587 - Username:
[email protected] - Password:
k[yH!8Z$AE;d - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 52 api.ipify.org 53 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FedExReceiptAWB85021012746.exedescription pid process target process PID 2036 set thread context of 3188 2036 FedExReceiptAWB85021012746.exe FedExReceiptAWB85021012746.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
FedExReceiptAWB85021012746.exepid process 3188 FedExReceiptAWB85021012746.exe 3188 FedExReceiptAWB85021012746.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FedExReceiptAWB85021012746.exedescription pid process Token: SeDebugPrivilege 3188 FedExReceiptAWB85021012746.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
FedExReceiptAWB85021012746.exedescription pid process target process PID 2036 wrote to memory of 3188 2036 FedExReceiptAWB85021012746.exe FedExReceiptAWB85021012746.exe PID 2036 wrote to memory of 3188 2036 FedExReceiptAWB85021012746.exe FedExReceiptAWB85021012746.exe PID 2036 wrote to memory of 3188 2036 FedExReceiptAWB85021012746.exe FedExReceiptAWB85021012746.exe PID 2036 wrote to memory of 3188 2036 FedExReceiptAWB85021012746.exe FedExReceiptAWB85021012746.exe PID 2036 wrote to memory of 3188 2036 FedExReceiptAWB85021012746.exe FedExReceiptAWB85021012746.exe PID 2036 wrote to memory of 3188 2036 FedExReceiptAWB85021012746.exe FedExReceiptAWB85021012746.exe PID 2036 wrote to memory of 3188 2036 FedExReceiptAWB85021012746.exe FedExReceiptAWB85021012746.exe PID 2036 wrote to memory of 3188 2036 FedExReceiptAWB85021012746.exe FedExReceiptAWB85021012746.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedExReceiptAWB85021012746.exe"C:\Users\Admin\AppData\Local\Temp\FedExReceiptAWB85021012746.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2036 -
C:\Users\Admin\AppData\Local\Temp\FedExReceiptAWB85021012746.exe"C:\Users\Admin\AppData\Local\Temp\FedExReceiptAWB85021012746.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3188
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3