Analysis
-
max time kernel
139s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
24-04-2024 13:55
General
-
Target
Proforma Request.exe
-
Size
359KB
-
MD5
0e714431357dd37266fe95d5b2b52f8e
-
SHA1
c003a2816c6da9857829984bbd8051d60eba5cd1
-
SHA256
36dd06fa770b353aa0716188d181d371300a847b6867878f4cf15c5b6b40d751
-
SHA512
0e862e6379ed36cd5acd2b0203c6c44f2cd861111d7efaf6b18ee5d4171be2aebf2a0c2ad01bc6efa2dcbb57982f704f33d2c97d86c304b16aab1fdd970f8460
-
SSDEEP
6144:fCjPKO4SIv6vytHU9ZTw8RgWuJvxLVbUkBEIAd7+GItYdqJfDJPwZICr:KjaSIv6vytH7WyNU1+GkBW
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6240128422:AAF92bsfXTRwFqVrbwbkd53IuHO7T3W8CXQ/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Proforma Request.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Request.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Proforma Request.exe"C:\Users\Admin\AppData\Local\Temp\Proforma Request.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2716-12-0x0000000006A20000-0x0000000006AB2000-memory.dmpFilesize
584KB
-
memory/2716-10-0x00000000067F0000-0x0000000006840000-memory.dmpFilesize
320KB
-
memory/2716-15-0x0000000005120000-0x0000000005130000-memory.dmpFilesize
64KB
-
memory/2716-14-0x0000000074C00000-0x00000000753B0000-memory.dmpFilesize
7.7MB
-
memory/2716-13-0x00000000069C0000-0x00000000069CA000-memory.dmpFilesize
40KB
-
memory/2716-5-0x0000000074C00000-0x00000000753B0000-memory.dmpFilesize
7.7MB
-
memory/2716-11-0x00000000068E0000-0x000000000697C000-memory.dmpFilesize
624KB
-
memory/2716-6-0x00000000056E0000-0x0000000005C84000-memory.dmpFilesize
5.6MB
-
memory/2716-3-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2716-8-0x00000000051A0000-0x0000000005206000-memory.dmpFilesize
408KB
-
memory/2716-7-0x0000000005120000-0x0000000005130000-memory.dmpFilesize
64KB
-
memory/4548-1-0x0000000074C00000-0x00000000753B0000-memory.dmpFilesize
7.7MB
-
memory/4548-0-0x0000000000330000-0x0000000000390000-memory.dmpFilesize
384KB
-
memory/4548-9-0x0000000074C00000-0x00000000753B0000-memory.dmpFilesize
7.7MB
-
memory/4548-4-0x00000000026E0000-0x00000000026E1000-memory.dmpFilesize
4KB
-
memory/4548-2-0x0000000004CD0000-0x0000000004CE0000-memory.dmpFilesize
64KB