Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
24-04-2024 04:48
General
-
Target
New DHL Shipment Document Arrival Notice.pdf.exe
-
Size
991KB
-
MD5
189b8ac3c0f8d840f30f4897b2d89773
-
SHA1
e6e6c3bd752cde7cf0677575d9268fc2a2070331
-
SHA256
7fee503438f90d0206012674566587b5ecef1d040935809ae308b12842dc6196
-
SHA512
052b3ccd16b840ff50fecc83229a0e9b432629084ef1a43af02d794debfc95a0aa054840feb3a82631176b08a3fcc8c5542c8052811ba6434e416e339dccbf16
-
SSDEEP
24576:o0QxK82SgCUzIQTTzhp11LP059ncTAG6Ox23:om8lgDIv59nXQ23
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
smtp.prestamp.in - Port:
587 - Username:
[email protected] - Password:
Gds@123
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.prestamp.in - Port:
587 - Username:
[email protected] - Password:
Gds@123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\New DHL Shipment Document Arrival Notice.pdf.exe"C:\Users\Admin\AppData\Local\Temp\New DHL Shipment Document Arrival Notice.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1940-9-0x00007FFECA640000-0x00007FFECB101000-memory.dmpFilesize
10.8MB
-
memory/1940-1-0x00007FFECA640000-0x00007FFECB101000-memory.dmpFilesize
10.8MB
-
memory/1940-2-0x00000257E9F20000-0x00000257E9F30000-memory.dmpFilesize
64KB
-
memory/1940-3-0x00000257CFBA0000-0x00000257CFC36000-memory.dmpFilesize
600KB
-
memory/1940-0-0x00000257CF780000-0x00000257CF7E8000-memory.dmpFilesize
416KB
-
memory/2512-8-0x0000000005AA0000-0x0000000005AB0000-memory.dmpFilesize
64KB
-
memory/2512-6-0x0000000005EE0000-0x0000000006484000-memory.dmpFilesize
5.6MB
-
memory/2512-7-0x00000000058B0000-0x0000000005916000-memory.dmpFilesize
408KB
-
memory/2512-5-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB
-
memory/2512-4-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2512-10-0x0000000006E30000-0x0000000006E80000-memory.dmpFilesize
320KB
-
memory/2512-11-0x0000000006F20000-0x0000000006FBC000-memory.dmpFilesize
624KB
-
memory/2512-12-0x0000000007060000-0x00000000070F2000-memory.dmpFilesize
584KB
-
memory/2512-13-0x0000000006FF0000-0x0000000006FFA000-memory.dmpFilesize
40KB
-
memory/2512-14-0x0000000074730000-0x0000000074EE0000-memory.dmpFilesize
7.7MB