Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
17/04/2024, 13:59
General
-
Target
8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b.exe
-
Size
558KB
-
MD5
eef80ad0744688be6c6029e7793dcf91
-
SHA1
35c0251531d08a060807c429e0833b5d48099a9d
-
SHA256
8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b
-
SHA512
ed28dbb5861aa55f64a0ff08851df3419275c780bc215a5821d08a49c5f1ccc16b0d7ba635f9394b467a48caef841101254dc8982bd0b28b0a3bdcc661bc870c
-
SSDEEP
12288:EMwrhdMp7SyAHZ5lEhugESlldjfmj/IiZY4CqXr6pSD8gZLI:EMwr0p7STUE6+jdm9qb/8gZI
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.myhydropowered.com - Port:
587 - Username:
[email protected] - Password:
yV0cOwpBjCCXLvN - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 5 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b.exe"C:\Users\Admin\AppData\Local\Temp\8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b.exe"C:\Users\Admin\AppData\Local\Temp\8a3597999df227bed6a515aebd8ecf14468a8e3f23d570af30f42d72b3f6356b.exe"2⤵
- Adds Run key to start application
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
87B
MD585e2e4621b02840d074412427cd1f8a5
SHA11c54ee06a603cbd345dc37a17072d72886f71f08
SHA25626c8d3247b977b06a3106999a4c3bcc18a0004e5cf506b42dc54631ca1d0de0d
SHA5127b4ebf73e648b3fc062dd59e48ecbec2bf7cafd964c7d7daf507eb04d9782d29668cbcda9f47b167383bb9b6a1a0f07ec6752baf4351f8e80f92bfed8abd1f8c
-
Filesize
126B
MD57f000c5d46d8d55b51dab133157cf3db
SHA159d5389a1b5b53641ed2f5d9256738b5ac4091e4
SHA256f309553da24996f82ad83e653644eedf3e474d847fdf400f7f7a57e8d945b7d0
SHA51272332e482ec7f542e25b59a635a7548fee964d03f9387e37342738a605eae8922f954208a71fd8b063242fceb4e93f67729b1af29c2d4f2b14269af4fef87df5
-
Filesize
102B
MD587b7b5a5fa6b1059d77d7982bd01e988
SHA110d4ea569e287b1ff20e8bf90c8f126684858a39
SHA2561ea49332af8831ec45b054c136b810caad752c41f3547d15fbb388c48ac2b7df
SHA51273d115be3501c4c03f6c0d8c0e0c93693562e770d9c22b84b8bdf429c5444d127f0b0bbc81b3949a0c70d3497d546365a2d5ff840ff8b4bd5c3f5225dd3c02d8
-
Filesize
109B
MD5a70ed0b8655a9a6a9096c9aaaeb5cd07
SHA15e66de4ad79ada2ce40d41d7fb4463ec51b98fde
SHA2569fe9cb54b8623e3035bb4cd7b472fabaed913e7960e0f65731ee5be12166022c
SHA51221248c55922cf476490aa394fb1703c6de927fbd578a93d341a1eda474519fecdd6f5bb5211673cc3c0eaf228c468a78e40fd7c125a899765830450c218f9029
-
Filesize
104B
MD5451db23a37ed16feef78f3d3605d751d
SHA1f501346fd7d71d9d78aa2229a022e4ffffaa2216
SHA25625671712102cc6fe452500449af769e0a26bd436f87a55c118eb2d68648b5f3c
SHA51295b0363940e77dac2eadce7d46c3998c01bd6ccb0c97602da4382b9bb036384b4bca62c69d84ab651426f5818551933785a1ed1b58f8fd6bba7fdea6e4b8034e
-
Filesize
12KB
MD56e55a6e7c3fdbd244042eb15cb1ec739
SHA1070ea80e2192abc42f358d47b276990b5fa285a9
SHA256acf90ab6f4edc687e94aaf604d05e16e6cfb5e35873783b50c66f307a35c6506
SHA5122d504b74da38edc967e3859733a2a9cacd885db82f0ca69bfb66872e882707314c54238344d45945dc98bae85772aceef71a741787922d640627d3c8ae8f1c35
-
Filesize
1.1MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
1.1MB
-
Filesize
18.3MB
-
Filesize
64KB
-
Filesize
18.3MB
-
Filesize
264KB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
28KB
-
Filesize
1.1MB