Analysis
-
max time kernel
93s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
-
submitted
14/02/2024, 02:03
General
-
Target
b764867253a7800f4b0a1ee1fbce93dc54e2e60a23b14b0ae1562af2042c53b8.exe
-
Size
1.9MB
-
MD5
61067fc22c6628fe351a76f6ec19b6da
-
SHA1
b1be7c51c75a5ddf4864f36bddd2cbb32ea6659c
-
SHA256
b764867253a7800f4b0a1ee1fbce93dc54e2e60a23b14b0ae1562af2042c53b8
-
SHA512
9891db373116baad04cbca1ef266f8e46ced5633f1eeb351c0517ea250d4d67925696481ee8602a9e8a77b5e30aa0939882e2c63e54688aba0c7713f06dd525a
-
SSDEEP
49152:ah+ZkldoPKi2aNH5Bod+FNNnxv93Y6OqRkLDjH4ly:z2cPKiHB7NNn33YnV3Y
Malware Config
Extracted
Protocol: smtp- Host:
send.one.com - Port:
587 - Username:
[email protected] - Password:
Ijg2qXIq7^.u
Extracted
agenttesla
Protocol: smtp- Host:
send.one.com - Port:
587 - Username:
[email protected] - Password:
Ijg2qXIq7^.u
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Drops startup file 1 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\b764867253a7800f4b0a1ee1fbce93dc54e2e60a23b14b0ae1562af2042c53b8.exe"C:\Users\Admin\AppData\Local\Temp\b764867253a7800f4b0a1ee1fbce93dc54e2e60a23b14b0ae1562af2042c53b8.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\RegAsm.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
588KB
-
Filesize
588KB
-
Filesize
320KB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB
-
Filesize
5.7MB
-
Filesize
64KB
-
Filesize
5.7MB