Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231201-en -
resource tags
arch:x64arch:x86image:win10v2004-20231201-enlocale:en-usos:windows10-2004-x64system -
submitted
10-12-2023 18:16
Behavioral task
behavioral1
Sample
c635fbb4-16cc-41b8-8f62-f4f8fd95bc21.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c635fbb4-16cc-41b8-8f62-f4f8fd95bc21.exe
Resource
win10v2004-20231201-en
General
-
Target
c635fbb4-16cc-41b8-8f62-f4f8fd95bc21.exe
-
Size
241KB
-
MD5
a49df0530f9b421fd4608c35c8bddd6d
-
SHA1
f1ae538adb0349f8fa4cf4db24dba1dd33911979
-
SHA256
6f61c06b502abedfbd78e3221ae6208f17f6b045a74a29e00a9be0b5a20b36aa
-
SHA512
8070539b255dcf120f24dc0e011452b3731f0ee870861d509d3dbc79ac6fba5c10cbf2ac02cdb1f33ea008d84768b6d3c560c55b4dfb20cfa54a40857f79f415
-
SSDEEP
3072:JP5iuCWSSAbqoch/D4cF5csML6MT8IU3Yd5pJmUdSeF+:3iuCWSSAbqoO/l5cLlQ/Y/mxn
Malware Config
Extracted
Protocol: smtp- Host:
mail.kivuresort.co.ke - Port:
587 - Username:
[email protected] - Password:
Kivu@2020
Extracted
agenttesla
Protocol: smtp- Host:
mail.kivuresort.co.ke - Port:
587 - Username:
[email protected] - Password:
Kivu@2020 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 33 ip-api.com 21 api.ipify.org 27 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2780 c635fbb4-16cc-41b8-8f62-f4f8fd95bc21.exe 2780 c635fbb4-16cc-41b8-8f62-f4f8fd95bc21.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2780 c635fbb4-16cc-41b8-8f62-f4f8fd95bc21.exe