Analysis
-
max time kernel
119s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
28-03-2024 04:58
General
-
Target
c45c19b5790cf57045ce3f8222c412f2.exe
-
Size
643KB
-
MD5
c45c19b5790cf57045ce3f8222c412f2
-
SHA1
818996bc52b3ff2d17620bb8d4902d80e7643ab6
-
SHA256
206b4b5ab8a00697a7161de7822d5235e4f9d913e57e503673cc0437c2ddceb0
-
SHA512
b87a5db0dbc25ff7b9331598607f6bca602e8167cb002adfd123d541665ff7c8fd0b88a68a990f33e3f28926b7bb2918e4054d6c1924a2eb0b42788d4e588107
-
SSDEEP
12288:wY5qjl5sV3opXxW603Hioen6ZH6i4bgc6ZLXgf4Kx6IF0TGLqk98h:wY5mvXUH30n656iXD6GIFlrO
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.gosportz.in - Port:
587 - Username:
sales@gosportz.in - Password:
Ss@gosportz - Email To:
cintronp44@yandex.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c45c19b5790cf57045ce3f8222c412f2.exe"C:\Users\Admin\AppData\Local\Temp\c45c19b5790cf57045ce3f8222c412f2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1904 -s 7202⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1904-0-0x0000000000B50000-0x0000000000B62000-memory.dmpFilesize
72KB
-
memory/1904-1-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmpFilesize
9.9MB
-
memory/1904-2-0x000000001B290000-0x000000001B310000-memory.dmpFilesize
512KB
-
memory/1904-3-0x000000001A6C0000-0x000000001A756000-memory.dmpFilesize
600KB
-
memory/1904-20-0x000000001B290000-0x000000001B310000-memory.dmpFilesize
512KB
-
memory/1904-19-0x000007FEF6170000-0x000007FEF6B5C000-memory.dmpFilesize
9.9MB
-
memory/2128-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2128-10-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2128-8-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2128-13-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2128-15-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2128-17-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2128-18-0x0000000074BA0000-0x000000007528E000-memory.dmpFilesize
6.9MB
-
memory/2128-6-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2128-4-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2128-21-0x0000000074BA0000-0x000000007528E000-memory.dmpFilesize
6.9MB