Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
-
submitted
05-12-2023 16:49
General
-
Target
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe
-
Size
590KB
-
MD5
9a46443adb0790a183a57bbbb4364319
-
SHA1
7b0fec8e74a85227590b8db215bda895c7df081e
-
SHA256
4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7
-
SHA512
c6ff22639f8c5b43c3798f14c22b32da1441829434b18a4f7755c14ec35c3a186a89314e94dfac6ed714abc8221673bf2614c74c7949e93006e13ac92291debd
-
SSDEEP
6144:e8LxBDQx8ayrbor7Bh/YbFE+jawvkqEMtTXw/4fBvBcY6pZB6liIvMXhi7LlnbDE:qxPgUr7B2hiZqXjcY6gvMXhE5bZw1Hh
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe"C:\Users\Admin\AppData\Local\Temp\4642314806e613a4256cce3268db16a36e464626b4aedb694c49ef7af60571a7.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"C:\Users\Admin\AppData\Local\Temp\kqwfsmdy.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
333KB
MD52e445696a8ae2ff850c0fdbe917937cb
SHA1ce4e54cb29fd04a20efb19b5607d6aa3b2a81a9b
SHA25610773af14402f5ec0c538bb6816afac711b2be71b356cb66ea625113261dd88b
SHA512a4142c10b0854506fee49533198b9a7a5a90bc52e26acc3d5c3cb16d848397d53097c9cc1b415a05a4269248daf571473f1566eab92c6f41a85ad48e4b6f9dc7
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
174KB
MD52c5cdbdd5085c791f3b81e08c79de059
SHA173ff7c5c15bac1311fb9f471af1c875cda9b237f
SHA256ac6175b0a244705e107944c4838c2344be1c7f91ba6777d667a9df487014d90b
SHA512a3905e334d9d0b47e5ee399abf3b1c2211a68fb6971ec6144b1fec8bc0542c23289d2a390fe1f192d585dd5fdd43573eb45820d0ef5a50621d224f9d679ec650
-
Filesize
264KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
328KB
-
Filesize
6.9MB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
6.9MB
-
Filesize
328KB
-
Filesize
196KB
-
Filesize
196KB