Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
20/03/2024, 02:27
General
-
Target
8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b.exe
-
Size
558KB
-
MD5
eef80ad0744688be6c6029e7793dcf91
-
SHA1
35c0251531d08a060807c429e0833b5d48099a9d
-
SHA256
8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b
-
SHA512
ed28dbb5861aa55f64a0ff08851df3419275c780bc215a5821d08a49c5f1ccc16b0d7ba635f9394b467a48caef841101254dc8982bd0b28b0a3bdcc661bc870c
-
SSDEEP
12288:EMwrhdMp7SyAHZ5lEhugESlldjfmj/IiZY4CqXr6pSD8gZLI:EMwr0p7STUE6+jdm9qb/8gZI
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
yV0cOwpBjCCXLvN - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 3 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
-
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 3 IoCs
-
Detects executables referencing Windows vault credential objects. Observed in infostealers 3 IoCs
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs
-
Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs
-
Detects executables referencing many file transfer clients. Observed in information stealers 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b.exe"C:\Users\Admin\AppData\Local\Temp\8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b.exe"C:\Users\Admin\AppData\Local\Temp\8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45B
MD5811d42c01c99104b9aa28ce5d62bba94
SHA17f1b242107a1f5c0b0eae0d0c9170c3172480709
SHA25677af8a34e0ab4168d3698d00a2565eba8670f8c5571d8f0cfe0197d7813dd0bb
SHA5127757bcff4dcc1b88cf3913f5357b03a82a222c095d5aba9397d6c3e9799bdc44894aff8e06ee628b13a573089aa81c121d7edf995844f29ae7274a01aebd00c0
-
Filesize
94B
MD5bdc7d6f49004866c661f77f1d75692c5
SHA132247c5bb3bad4756e45c9005c252b652cb661ba
SHA256bbffe742896b673b636357a7e7c1fa12ca82dd638a5a685d21642de2d11963eb
SHA5121f5280c9f9ca933a827afd0f3c182655a118f76017cd6f474ffcfebc95ba04f92a2ad6175abf1751573caa209722f6cad2d203b363861fe2700e33845c88c1bf
-
Filesize
112B
MD54cb3baa83d6a3f766b0e34725206f0ca
SHA17e24615a503008f5059ece99fa1523d9792c0ca3
SHA256e76f65ecf335bd259ee0f0781e6b9510d4485102a8e08b4e715fb907e98a6076
SHA5123c002ceaf9758cf5abd797afe6ebbd693b407444d261e32701bc531872a77607f213eabfb2a457b04667021c0073830cbed61423f8e44c7c5f0273b2f3d4e8d5
-
Filesize
105B
MD538c6f7822cd89991db6fccc5b04b96c9
SHA1cec31a690a8d9395d59946690f7528ce5f5e0114
SHA2562eba686a57cb8d9b9633c14fdb01b45f88dda41e4c1b5ad9e04c76342d028146
SHA512a6cb93d984fe69f4f4a2bda9001dac25897e6127ccb848762999a9eb8d18d69fbda7308eb1e8d32f9b9e94678b874dcede10066980a56333d8a2d19a5a7a0db8
-
Filesize
106B
MD5d3399b20b2e5f5fd474078147ad9f5aa
SHA1b9950e5b677296f86bdae37a33caf2f35a50c261
SHA256a0c475d863f50ab69ea8c3bfa8a0509cbfb3b052f46e4679d8349b1926b4402b
SHA5122f2d4ec12dd4ab065ff884a0ca3efd94cd2f4e93a70f4cb8b1d39aa2fe384a8e604250b38b17d9d61f5db98924d00e5589603e0d1d9d9d53160e22368384c519
-
Filesize
12KB
MD56e55a6e7c3fdbd244042eb15cb1ec739
SHA1070ea80e2192abc42f358d47b276990b5fa285a9
SHA256acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA5122d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
-
Filesize
1.7MB
-
Filesize
856KB
-
Filesize
28KB
-
Filesize
1.7MB
-
Filesize
856KB
-
Filesize
4KB
-
Filesize
16.4MB
-
Filesize
16.4MB
-
Filesize
264KB
-
Filesize
6.9MB
-
Filesize
1.7MB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
256KB