Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
-
submitted
11-12-2023 01:50
General
-
Target
8443db8f13ee9852c43c33605e22104d3ea320276f2affff0534627076c52976.exe
-
Size
587KB
-
MD5
ce62a9d0c996178c2ac6a7b9a652257e
-
SHA1
a8b4df6d25572780e70d10f64a5f7cda95180bd4
-
SHA256
8443db8f13ee9852c43c33605e22104d3ea320276f2affff0534627076c52976
-
SHA512
a9cebf2750e1da9cae45825212c2189fe25cb6194c0b2ca564185f44514ba71f01adc9e6181acd56c8b355e2ebe6f0d34a133fed9e7af1b8f7fa3ba88a8d0520
-
SSDEEP
12288:KxPgUrz/QxsOiVSXGNmMyR+llVu07GOjmnmvHV:qh4ZiVS2NmIuO4mvV
Malware Config
Extracted
Protocol: smtp- Host:
premium185.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
cooldown2013
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8443db8f13ee9852c43c33605e22104d3ea320276f2affff0534627076c52976.exe"C:\Users\Admin\AppData\Local\Temp\8443db8f13ee9852c43c33605e22104d3ea320276f2affff0534627076c52976.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmtuht.exe"C:\Users\Admin\AppData\Local\Temp\tmtuht.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmtuht.exe"C:\Users\Admin\AppData\Local\Temp\tmtuht.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD5b984c359bab693eb3c6c133db0777c37
SHA1ba8a80bb8cf2495a5714a8b9d4e215e3f136a276
SHA2560731011a5247799b0b016b1bdde41d635f8475251063dc1300de3bbbe93cc2a6
SHA512259958da5b33a49c6f54608b37d8b163c8aa6dc02081ff2b2edc9ac01fa97c963bed0d95360ac4a9a5cb6d78c46243e360d5ef589b54409520f5a89e991eac66
-
Filesize
165KB
MD501510af00c29e6f934350883c257a786
SHA1ca506e7993ec5c526525d3aa99f688431a337225
SHA256a8ca422e55514a9e08501f028abce1039b23e50836a97cde34b8508cebc20a91
SHA512a14c18607235c4166ec2349c6fca741deaf4cd9591ce216d77f96d69c5d0a2638937932a2dc04874972845545a27250dded00a411a045bc1d1a540adce70d41f
-
Filesize
184KB
-
Filesize
184KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
328KB
-
Filesize
328KB
-
Filesize
7.7MB
-
Filesize
264KB
-
Filesize
328KB
-
Filesize
64KB
-
Filesize
5.6MB
-
Filesize
328KB
-
Filesize
320KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB