Analysis

  • max time kernel
    24s
  • max time network
    41s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-03-2024 22:39

General

  • Target

    837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe

  • Size

    1.2MB

  • MD5

    3c785d4ebfb66ee2896e9794529159bc

  • SHA1

    ad3d49245fe44b35d6f8004e36bff0c4e4781e62

  • SHA256

    837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2

  • SHA512

    04625cc9db6b6ea26fe313b86c29f2717ce531ec66dbd0c61e90403f2c78f4513959758af2bd571a524cf73c2a9f9a1405cf3a44039ab8e790c467b1930018c3

  • SSDEEP

    24576:YqDEvCTbMWu7rQYlBQcBiT6rprG8aOntHSiIs2LLLpJG+aL:YTvC/MTQYxsWR7aOtHDMzG+

Malware Config

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
  • Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
  • Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 5 IoCs
  • Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
  • Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
  • Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
  • Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 1 IoCs
  • AutoIT Executable 1 IoCs

    AutoIT scripts compiled to PE executables.

  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 5 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe
    "C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1380
    • C:\Users\Admin\AppData\Local\directory\DADDY 026.exe
      "C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\837d8cc3da8af1b873a7c337214b73168fb688e17f3c33722aae27a169f506a2.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2016

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\lecheries
    Filesize

    321KB

    MD5

    a742ccbd6f702405534512db8ee8f682

    SHA1

    076c47cec5ecec6f95af65fe968fa5e3bf89ce96

    SHA256

    620c66203a39c19edf4fb2622b09acc8bb0a35008d76878c6f826c93902c0a8a

    SHA512

    3f06e350def31fa5d07a490a15cfb21eddf529d107e08f304d59db86b7d05240fb54ecf6505a98b2f3b968f375faeacaf4cfff290ea9758e36e65b397ee6d568

  • C:\Users\Admin\AppData\Local\Temp\meshummad
    Filesize

    29KB

    MD5

    1ff2550622f09eb6ccb75d9bb6b84cb9

    SHA1

    390af6c9fa2e296501f9e55dbbc5988d9f15e371

    SHA256

    858baf51b3d786c2a565fe5e8a8bfdd10ef1ef4b40a9415e43c8658f8fcb49fb

    SHA512

    089e72c17aa59cbbfef53e7e6598cb7cddf0d446ef130e3cfdc5064d0740c1a98d694bcbb02442eb87c03426e1ec74a5c68c90ae0f4b263d521b21ee514f9c8c

  • C:\Users\Admin\AppData\Local\directory\DADDY 026.exe
    Filesize

    109.2MB

    MD5

    b27a1f17ec81cc4138e33e69c0e4592d

    SHA1

    7e15c775c627c039efe343cc318109d87e3f1f79

    SHA256

    db1dd43ff41c8986d18ab4857f71779677fe348e2302aa533f36753d6f684c9f

    SHA512

    6f846dd78f90e7e50fd17e37f332659bac14341ebda57444f1a3423b89f98263e7b521af1a915d2424c0044d6d17b6884d39b7db572f71aa7e2cc0322d6f92a8

  • memory/1380-10-0x0000000001100000-0x0000000001104000-memory.dmp
    Filesize

    16KB

  • memory/2016-28-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

  • memory/2016-29-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

  • memory/2016-30-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

  • memory/2016-31-0x0000000000400000-0x0000000000454000-memory.dmp
    Filesize

    336KB

  • memory/2016-32-0x0000000005540000-0x0000000005582000-memory.dmp
    Filesize

    264KB

  • memory/2016-33-0x0000000074750000-0x0000000074F00000-memory.dmp
    Filesize

    7.7MB

  • memory/2016-34-0x0000000005DB0000-0x0000000006354000-memory.dmp
    Filesize

    5.6MB