Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
28/02/2024, 16:48
General
-
Target
7d1421b29612772087be84ddc9eb2ff08c282f495007ab6b16bee6bc3e64d11c.exe
-
Size
740KB
-
MD5
c2f0dde9746a766af0669a72789fb9d8
-
SHA1
bacf7968140e7659fb8fa8297f141f2f5074fa19
-
SHA256
7d1421b29612772087be84ddc9eb2ff08c282f495007ab6b16bee6bc3e64d11c
-
SHA512
78f2f1c180d9d2e88f291d42d9e1ee9bdc83839dc4ac28054c4a8da695432b0e310dc11282eb38016716ce4da27b9d0b84761b53f364e3145fc5a2f8e2ab7466
-
SSDEEP
12288:12nZaz5Ujd53LlvrT50BGIRrR8MXxU6JMbhVdwQ1t+kSmpTT+oGUoU3VFzgz:12n8KB5IGo876qbhVx1tKmpCUp3TU
Malware Config
Extracted
Protocol: ftp- Host:
ftp.mercuresurabaya.com - Port:
21 - Username:
[email protected] - Password:
COM&qS[LeyKQ
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mercuresurabaya.com - Port:
21 - Username:
[email protected] - Password:
COM&qS[LeyKQ
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
-
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
-
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
-
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 63 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d1421b29612772087be84ddc9eb2ff08c282f495007ab6b16bee6bc3e64d11c.exe"C:\Users\Admin\AppData\Local\Temp\7d1421b29612772087be84ddc9eb2ff08c282f495007ab6b16bee6bc3e64d11c.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7d1421b29612772087be84ddc9eb2ff08c282f495007ab6b16bee6bc3e64d11c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\AyTAbwQOCy.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\AyTAbwQOCy" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2C4B.tmp"2⤵
- Creates scheduled task(s)
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5a0b0e352fb3c00f0db710fde4216ea89
SHA1a4e972bb4801be4c111b59b29df9b3b16b00c75e
SHA256165e48db8bdc636cc189fa4908ca84025af53d3a4c75648582c079f87c7423b2
SHA512617824f1b1687f3e615f5e65babdab7c6c12f63963f1e4843bc4358d931420207cb06a079b61c5f279b88dd56dc01a98ae84c37795761770a4d0471a46bcc158
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD56ffba70dd079a64d287d35bc039858d6
SHA1443e9388cd8a684397f764530e3a5c78e49e8903
SHA2567f66ac131ed985cf85f797e07c6981fa699c0607b2f6d9d09cf91d6dfbc82931
SHA512c5086ca5421aed5d0ace4ff6a6321ecfd798f8396903d43d4354d5e9e56ddb04b27dfa6feb52b9873859aaeceac97db6f075b8ad00fa809a0c63a97ecd8c28db
-
Filesize
528KB
-
Filesize
624KB
-
Filesize
128KB
-
Filesize
7.7MB
-
Filesize
56KB
-
Filesize
72KB
-
Filesize
264KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
768KB
-
Filesize
408KB
-
Filesize
104KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
3.3MB
-
Filesize
6.5MB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
600KB
-
Filesize
56KB
-
Filesize
64KB
-
Filesize
68KB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
120KB
-
Filesize
64KB
-
Filesize
80KB
-
Filesize
6.2MB
-
Filesize
32KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
216KB
-
Filesize
7.7MB