Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-03-2024 02:58
General
-
Target
Loading Advice.exe
-
Size
670KB
-
MD5
82ed2d50defbaa3056e1216f7a04fd29
-
SHA1
b0c53c84b62236adb6dbe7adad055e13c6ff58cd
-
SHA256
5367bdd7476c6a1d2ac38b0d8efcbaba0c74176f86cc0f76e925407e62605071
-
SHA512
550d35d6c2dae4cf1d818a5d6d77d9359cdf4420d1dcd831cd39c179bacaf441800afe11d0961f8affe718f349d0aed92816c4b8d0c15a95231a7dad453e9356
-
SSDEEP
12288:sme0YOwq0IDzlpnjRSsrj65vGdaM6Ge/zqdrAamH8Wss:+O70I3lbBaZo6a3Wb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.shivomrealty.com - Port:
587 - Username:
[email protected] - Password:
Priya1982# - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 25 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loading Advice.exe"C:\Users\Admin\AppData\Local\Temp\Loading Advice.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Loading Advice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\azSeNNFbJYW.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\azSeNNFbJYW" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4672.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Loading Advice.exe"C:\Users\Admin\AppData\Local\Temp\Loading Advice.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Loading Advice.exe"C:\Users\Admin\AppData\Local\Temp\Loading Advice.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4672.tmpFilesize
1KB
MD5f3ee2de4e36b74a5bcc0f628c822a7ee
SHA10b8bb153aa03c2cb368e50f51ce42798fe6d8ff3
SHA256d6eab13413cdb26d9ec8e3bdf415d45bb647b691aea5fcc39fd811123259317b
SHA512441bcc7dc5067f722a342f023ace84327d856a217d59f056a115a47c901b3e779505ac2fedb0dedd839882f443eea31c04091ddbcb60397b5d074cf7c90476bc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD53c11d0d06239ff4076e1cad6279ed13d
SHA147ee680f694d8431f18cb2a6ad10aabb24d1e5cb
SHA2562939a906ad9cb74ded1bfe2cc009d84f37a0cff1fbe0954089f6b6cb8b090dbf
SHA512faba5dfdc97d83a241621554c3c9221b42bffba24b6e67309fce51b4a920d07021fac080fbe1f49bc855475176c9d64c78ca9dfb2f08423bd6e0a839e71772f8
-
memory/2436-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2436-43-0x0000000073350000-0x0000000073A3E000-memory.dmpFilesize
6.9MB
-
memory/2436-29-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2436-40-0x0000000073350000-0x0000000073A3E000-memory.dmpFilesize
6.9MB
-
memory/2436-35-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2436-26-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2436-18-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2436-20-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2436-23-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2436-22-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2624-28-0x000000006F4E0000-0x000000006FA8B000-memory.dmpFilesize
5.7MB
-
memory/2624-38-0x0000000002900000-0x0000000002940000-memory.dmpFilesize
256KB
-
memory/2624-42-0x000000006F4E0000-0x000000006FA8B000-memory.dmpFilesize
5.7MB
-
memory/2624-37-0x0000000002900000-0x0000000002940000-memory.dmpFilesize
256KB
-
memory/2624-36-0x000000006F4E0000-0x000000006FA8B000-memory.dmpFilesize
5.7MB
-
memory/2624-34-0x0000000002900000-0x0000000002940000-memory.dmpFilesize
256KB
-
memory/2652-30-0x000000006F4E0000-0x000000006FA8B000-memory.dmpFilesize
5.7MB
-
memory/2652-39-0x000000006F4E0000-0x000000006FA8B000-memory.dmpFilesize
5.7MB
-
memory/2652-31-0x0000000002B20000-0x0000000002B60000-memory.dmpFilesize
256KB
-
memory/2652-41-0x000000006F4E0000-0x000000006FA8B000-memory.dmpFilesize
5.7MB
-
memory/2856-33-0x0000000074650000-0x0000000074D3E000-memory.dmpFilesize
6.9MB
-
memory/2856-4-0x0000000000390000-0x000000000039C000-memory.dmpFilesize
48KB
-
memory/2856-5-0x0000000004F80000-0x0000000005002000-memory.dmpFilesize
520KB
-
memory/2856-3-0x0000000000580000-0x000000000059A000-memory.dmpFilesize
104KB
-
memory/2856-2-0x00000000048E0000-0x0000000004920000-memory.dmpFilesize
256KB
-
memory/2856-0-0x0000000000920000-0x00000000009CE000-memory.dmpFilesize
696KB
-
memory/2856-1-0x0000000074650000-0x0000000074D3E000-memory.dmpFilesize
6.9MB