Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    20/02/2024, 01:32

General

  • Target

    14dc43630f5986546943df361fc09e333a66fc4971c128a4d9ec1e0b336fa2e5.exe

  • Size

    103KB

  • MD5

    d324813c0ffe152c91da3ebd43442720

  • SHA1

    b5811da36e83eeae07cfe4f06a013243ee66d8f9

  • SHA256

    14dc43630f5986546943df361fc09e333a66fc4971c128a4d9ec1e0b336fa2e5

  • SHA512

    ca409f2a93d7b407b48f21cc64e01e121805721a942380348d81aa473367e442ed8b6a1ed579e18c3cd275bfab0245a32bc9fd38b0d02b7f993d3ff6eb33cc72

  • SSDEEP

    3072:p8JiZ8TE80/wpJbkX/c2dPmdMydxrTIXAJ:eCg1gvzWrTqAJ

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    ftp
  • Host:
    ftp://ftp.normagroup.com.tr
  • Port:
    21
  • Username:
    [email protected]
  • Password:
    Kingdom12345@

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\14dc43630f5986546943df361fc09e333a66fc4971c128a4d9ec1e0b336fa2e5.exe
    "C:\Users\Admin\AppData\Local\Temp\14dc43630f5986546943df361fc09e333a66fc4971c128a4d9ec1e0b336fa2e5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2656

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

          Filesize

          344B

          MD5

          f14f982fb80a2158481abfe4e3def7da

          SHA1

          c9600498b605df92c84a6feb67ae012bd56c1522

          SHA256

          4163d140ed14cf61849d4e7b82c358623d9630a0ddeea29c8c680ee5f51c32bc

          SHA512

          7c07187a383bf15598ed4dc587eb3acf7d2044e261a14b0254cb8cd4af86d753f38d64a8d3f37595433001ea3f7f212cc7580a17b4079576323945d8748d545c

        • C:\Users\Admin\AppData\Local\Temp\Cab51BA.tmp

          Filesize

          65KB

          MD5

          ac05d27423a85adc1622c714f2cb6184

          SHA1

          b0fe2b1abddb97837ea0195be70ab2ff14d43198

          SHA256

          c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

          SHA512

          6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        • C:\Users\Admin\AppData\Local\Temp\Tar5298.tmp

          Filesize

          171KB

          MD5

          9c0c641c06238516f27941aa1166d427

          SHA1

          64cd549fb8cf014fcd9312aa7a5b023847b6c977

          SHA256

          4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

          SHA512

          936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        • memory/1444-0-0x00000000001E0000-0x00000000001FC000-memory.dmp

          Filesize

          112KB

        • memory/1444-1-0x0000000074A00000-0x00000000750EE000-memory.dmp

          Filesize

          6.9MB

        • memory/1444-2-0x0000000000340000-0x0000000000380000-memory.dmp

          Filesize

          256KB

        • memory/1444-64-0x00000000003A0000-0x00000000003AA000-memory.dmp

          Filesize

          40KB

        • memory/1444-74-0x0000000074A00000-0x00000000750EE000-memory.dmp

          Filesize

          6.9MB

        • memory/2656-70-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2656-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

          Filesize

          4KB

        • memory/2656-66-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2656-72-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2656-68-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2656-67-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2656-65-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2656-75-0x0000000000400000-0x0000000000440000-memory.dmp

          Filesize

          256KB

        • memory/2656-76-0x0000000074A00000-0x00000000750EE000-memory.dmp

          Filesize

          6.9MB

        • memory/2656-77-0x0000000004850000-0x0000000004890000-memory.dmp

          Filesize

          256KB

        • memory/2656-78-0x0000000074A00000-0x00000000750EE000-memory.dmp

          Filesize

          6.9MB

        • memory/2656-79-0x0000000004850000-0x0000000004890000-memory.dmp

          Filesize

          256KB