Analysis
-
max time kernel
142s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
27-03-2024 10:42
General
-
Target
e178ae1de056b3463f929009b08b3c03.exe
-
Size
490KB
-
MD5
e178ae1de056b3463f929009b08b3c03
-
SHA1
e1e363f5e0cee78e1a2d2ad606be7529c58203c2
-
SHA256
e7c30df0932d6ccaffe8eb817c2ed422920fb958b04d38f3f8c53f3a9953f214
-
SHA512
6bdb2875bb60447daea8760ef76977545e2c9a6a8163a4bbecf57009aed0784ee9795ff9111f06beb6e6e99aea2764a7db8637e426a2a2338c7bb4b89b9e40b7
-
SSDEEP
6144:BJCUD1099JzbK9ju7xtH9lSirp+wjUzkx7EZBJ+Z/q3fM/Vd9A1MbEWNN15naFv4:V49H3LMwjU8qBJKi3GTS13wN8v6eC
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.fakly-cambodia.com - Port:
587 - Username:
[email protected] - Password:
Mmhh#2014
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 6 IoCs
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
-
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\e178ae1de056b3463f929009b08b3c03.exe"C:\Users\Admin\AppData\Local\Temp\e178ae1de056b3463f929009b08b3c03.exe"1⤵
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HfBaIWTX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5985.tmp"2⤵
- Creates scheduled task(s)
-
-
C:\Users\Admin\AppData\Local\Temp\e178ae1de056b3463f929009b08b3c03.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5da040cae7cf972b182089c6d83cab18a
SHA1c4b742988db8437a8a4be91dcc0d58685876e460
SHA2562a64f6ad113c2e1d764593c4ae73bfff057b1de5b0655aa7e48d9559f9b7d95c
SHA51244d4c7d99a6492c1191c2fda499bf6c0cfeef8bb77e2d5b88460293d3d1c32791fa85790fba8c1400824465624f05e1d333fc7cb141cf31087d2ef69e9b33551
-
Filesize
512KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
32KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
544KB
-
Filesize
256KB
-
Filesize
6.9MB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
6.9MB
-
Filesize
256KB
-
Filesize
240KB
-
Filesize
6.9MB
-
Filesize
256KB