Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
-
submitted
11-12-2023 09:13
General
-
Target
5041673918XXXXX.BAT.exe
-
Size
330KB
-
MD5
936f0aaff53261396d764a5429c6a05e
-
SHA1
c9b23f881ef506918a8b90a6789878e130fc2d55
-
SHA256
6c7a86fab40be3fa9a95bbeb52f9c790d239646d0ff8504cfa5629f4fd9a1f42
-
SHA512
84fa483869c5307f31496cc66847f777e8ddfe677b2694ec83385dddd34a0a571f36aa50edb39d4da5961346a62e161097c5e62e710795fd8569cfc2f76af967
-
SSDEEP
6144:P8LxBs9bI62/EJuzNsHyAOhJsiBQqu7mycVtXBpve5CzmTc/bfq6PfqpctSbT9k7:B1Ip85yAKJsienHqtuCzJTfPSYSbY
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 6 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 5 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5041673918XXXXX.BAT.exe"C:\Users\Admin\AppData\Local\Temp\5041673918XXXXX.BAT.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe"C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe"C:\Users\Admin\AppData\Local\Temp\hffhzbqjsu.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 2043⤵
- Loads dropped DLL
- Program crash
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
71KB
MD52930cf7ccac8eaa0a730a74ec0d48706
SHA18b9499b3929f2345e4964a90b1fbdf60cb9cbdac
SHA256bb772b1b4aebe6402d693e0afd92fe08e4cc9626cce9c626b52834225f02190e
SHA51262e4e5eab289cd2778a25675e467959166b1670a67fd574e29510a5712735e1324c0e410f54b3da1fe51bd01d989eed39d93a0fa92dbfb572ddb29d041bd3091
-
Filesize
212KB
MD5c511cec90db9f2b60caa1903c703f258
SHA172458ce7d2328da10150227a49c46f5c2805e5ed
SHA2564e1d606edf6680c07d5440a448161e26da08f9136d6ad62823ec2712cdfd9bf2
SHA512c24e24a0951d61285d2c7d40cf4fe30b7aafc69c24d937d5bfab843ecef16b4c3d05cfaa83a0e8cfa56446ba63461a127d3eeef8e57e9f8e88456c636217930c
-
Filesize
274KB
MD55250b553864dfcbad5e0ad2bb2dc6bab
SHA118758862255a406690b0bdaca6df4ffe66de5d78
SHA2561ce08705ab6b650f8fa900e78913ccf41c2c9c1589218975551d54ddbd657196
SHA512988326c973e55fa88d2e5681ccb8717dcf6b3c2c0046f497de4f2483e63bd8f7ac2d8a633a28e850d255bb5b9d524a8cb458d13b14cb4249e1eb41589523c432
-
Filesize
26KB
MD506ec9fc6318e8846aa2e7a6006352046
SHA168ae219eba4114da2efdec2def7ed241274d6d2c
SHA256fdd2525bb43024af01cf5251ac05b152ee66600bb66ae42dc9c0b8b9fc9da659
SHA512d2b3131549c8a7c9439d7648f153a0845085439d2ff6753219a800ad3bc0c2fdff028cf72202027b8fc5ad242cf1f040c1b16e4e59065672cf7fba13476a1fe5
-
Filesize
4KB
MD57ad944e8fd21373f304516f6b176edfb
SHA121a6519d1f9c070d53894145fdfd1567a767b20f
SHA2567a599c19dcf426ed113c9d28d423177297f3af27e8d33dac0d926afe36f622b7
SHA512c4bbf18e9d3c63464b1a102edd18f9a82d8f4c8384daecd5e2a8d4580b5247fc808d0c6c296b97ce9d8ee7f9fab6eed11579193f407da1ab1e9d6f6084be9778
-
Filesize
298KB
MD52e7dcc9c6f336cd6352f2da45de28d00
SHA1ca23f4532ec078d757aa90d0f4018ee86c25e8f1
SHA2564d4ea573023a4362be5fd6780672f4af67c2c7ffae508888a7e6b89bbde11d21
SHA512007499ca22cc3f2fd0da8448fec20e74d8c9ce8210d6c1c9e0726f571607d0a4097949ea2a9845be52eb6dfa8ce2a8d62c5125e7ce6d226e92ec68ce073a59c1
-
Filesize
163KB
MD53bb7ac926106f1c9a1463b6588ef8e9f
SHA16958485e3b8e9807b51f1e3d0d091ae8edf58724
SHA2563e718eac48c0cf39c14a7e2aea88b3e93ab7078b62218ceb0debb05fd71ea5b4
SHA5125f13a778809df1e5c7e5d26e1f9d8e446d3ff476e9cad43b4cb9ef8179462b3d649e7fb871ba98c4d9ac2892c6ad6bae37721ac7446a78c880380f67b0095025
-
Filesize
264KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
344KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
8KB