Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER (3).exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PURCHASE ORDER (3).exe
Resource
win10v2004-20240412-en
General
-
Target
PURCHASE ORDER (3).exe
-
Size
676KB
-
MD5
d760dc358592d6717d4d6ca1ca0b4a41
-
SHA1
c9cecc6110f3568c4b8d38c95f834b3bf7a7c0d8
-
SHA256
87c5e257097fbb317f8f64250f0796574dfaf1e132e4819dc9c62d9d59c227dd
-
SHA512
b32aad32df292055078aa2a5f98205da2fef69f183d8feaf2e79e2cc085430c80feb2560ebc733f6b2c5a994bfc5438071ddf40cd6c588ac5609a2676758290a
-
SSDEEP
12288:jAlv312Z3HmMPKvWPRqYtuJu+OixvozCaRXrJ6hVxB+8i53tzL73EmlPTS2b:jAJ312ZHmMi+PoYb+rw7XFcfB+B5RLDH
Malware Config
Extracted
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
N@DRpoY0
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
N@DRpoY0 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1468 set thread context of 4312 1468 PURCHASE ORDER (3).exe 95 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 4312 PURCHASE ORDER (3).exe 4312 PURCHASE ORDER (3).exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4312 PURCHASE ORDER (3).exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1468 wrote to memory of 4312 1468 PURCHASE ORDER (3).exe 95 PID 1468 wrote to memory of 4312 1468 PURCHASE ORDER (3).exe 95 PID 1468 wrote to memory of 4312 1468 PURCHASE ORDER (3).exe 95 PID 1468 wrote to memory of 4312 1468 PURCHASE ORDER (3).exe 95 PID 1468 wrote to memory of 4312 1468 PURCHASE ORDER (3).exe 95 PID 1468 wrote to memory of 4312 1468 PURCHASE ORDER (3).exe 95 PID 1468 wrote to memory of 4312 1468 PURCHASE ORDER (3).exe 95 PID 1468 wrote to memory of 4312 1468 PURCHASE ORDER (3).exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER (3).exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER (3).exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER (3).exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER (3).exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3