Analysis
-
max time kernel
16s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 16:38
Static task
static1
Behavioral task
behavioral1
Sample
ÖDEME FATURASI.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
ÖDEME FATURASI.exe
Resource
win10v2004-20231127-en
General
-
Target
ÖDEME FATURASI.exe
-
Size
693KB
-
MD5
b0a0c1b1189a8e142c6551c52fd2edff
-
SHA1
c5fd95bcf1edb6d342f243a55f9d10d01e399326
-
SHA256
802d048e2e3ec9cbc008836a5f8db74d92299839581181e65bb44c7a640a13c3
-
SHA512
56b918830db30b347bf196a96447c58090476112fa528cae9d8c2fc6dda4d4164203931754f2d58c38866e3b5124333e0b535f0dadf30b3ea02a090ba4cc65f6
-
SSDEEP
12288:PueH5qtgBqwBYN55rmMMjjraqL6PtutjM+eCDFhsRH5AhDEFdzUrFsa:tqkqwqN55YnfL6Pt+jJeSCHi3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.coaatja.com - Port:
587 - Username:
[email protected] - Password:
consuelo63 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
ÖDEME FATURASI.exepid process 3060 ÖDEME FATURASI.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ÖDEME FATURASI.exedescription pid process Token: SeDebugPrivilege 3060 ÖDEME FATURASI.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ÖDEME FATURASI.exedescription pid process target process PID 3060 wrote to memory of 2908 3060 ÖDEME FATURASI.exe powershell.exe PID 3060 wrote to memory of 2908 3060 ÖDEME FATURASI.exe powershell.exe PID 3060 wrote to memory of 2908 3060 ÖDEME FATURASI.exe powershell.exe PID 3060 wrote to memory of 2908 3060 ÖDEME FATURASI.exe powershell.exe PID 3060 wrote to memory of 2980 3060 ÖDEME FATURASI.exe schtasks.exe PID 3060 wrote to memory of 2980 3060 ÖDEME FATURASI.exe schtasks.exe PID 3060 wrote to memory of 2980 3060 ÖDEME FATURASI.exe schtasks.exe PID 3060 wrote to memory of 2980 3060 ÖDEME FATURASI.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ÖDEME FATURASI.exe"C:\Users\Admin\AppData\Local\Temp\ÖDEME FATURASI.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Users\Admin\AppData\Local\Temp\ÖDEME FATURASI.exe"C:\Users\Admin\AppData\Local\Temp\ÖDEME FATURASI.exe"2⤵PID:2604
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rARfrQaXda" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B17.tmp"2⤵
- Creates scheduled task(s)
PID:2980 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rARfrQaXda.exe"2⤵PID:2908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD51b29045460525b425852c8eac3ac1884
SHA13209b2d4f2f22eb4dade8a2a6e05b842d8c99fb4
SHA25689cae1598da7ad81be1d8ffe980d251420eee09603ca12603ddc90259d4956c6
SHA512783cf10d464e22aa3101671dbefa71b076df986f944677424aad5071873e4dc48b81aa359ebc27c2a4e92c5451c7138b5aa9363e5f33fe4948218b471f193af6