Analysis
-
max time kernel
23s -
max time network
172s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 16:49
Static task
static1
Behavioral task
behavioral1
Sample
B3.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
B3.exe
Resource
win10v2004-20231127-en
General
-
Target
B3.exe
-
Size
686KB
-
MD5
dec40a2b97404b644f142979f8b7107a
-
SHA1
45fa65b15e2f206ea917cc1877365e7fcba39731
-
SHA256
9ee7811e79cf1f1f76aadb17175227bf172b21ed84a54a53ef98a1f4695f75ba
-
SHA512
9c33d35ead9764e26a4499d88a5dcba7795205e715ca8b739b1dd4b9b071e777f2713d8bec17fe0c52e03e51952c90e2154e35d5b49d6f7b03a2b8b5341b7acb
-
SSDEEP
12288:Cn/7eVSw4/eC9J4j/Nw3ghMM7s16pqOO9fzClLg6acbV1E7lrtWYOQmbCp:Cn/yVk/eYSj1IghBpqb1zq3Pbgx
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
EwQnrCo8 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
B3.exedescription pid process target process PID 3824 set thread context of 1836 3824 B3.exe B3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
B3.exepid process 1836 B3.exe 1836 B3.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
B3.exedescription pid process Token: SeDebugPrivilege 1836 B3.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
B3.exedescription pid process target process PID 3824 wrote to memory of 1836 3824 B3.exe B3.exe PID 3824 wrote to memory of 1836 3824 B3.exe B3.exe PID 3824 wrote to memory of 1836 3824 B3.exe B3.exe PID 3824 wrote to memory of 1836 3824 B3.exe B3.exe PID 3824 wrote to memory of 1836 3824 B3.exe B3.exe PID 3824 wrote to memory of 1836 3824 B3.exe B3.exe PID 3824 wrote to memory of 1836 3824 B3.exe B3.exe PID 3824 wrote to memory of 1836 3824 B3.exe B3.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\B3.exe"C:\Users\Admin\AppData\Local\Temp\B3.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Users\Admin\AppData\Local\Temp\B3.exe"C:\Users\Admin\AppData\Local\Temp\B3.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1836
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7b9acb869ccc7f7ecb5304ec0384dee
SHA16a90751c95817903ee833d59a0abbef425a613b3
SHA2568cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4
SHA5127bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764