Analysis
-
max time kernel
138s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 02:53
Static task
static1
Behavioral task
behavioral1
Sample
FiveFinder.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
FiveFinder.exe
Resource
win10v2004-20240412-en
General
-
Target
FiveFinder.exe
-
Size
1.4MB
-
MD5
1e941bebf9fe16bce5c1967b5afffba8
-
SHA1
b4a4cdff52f85f12cd3b4e1f251d46f424302f29
-
SHA256
9360b84645809c8bb4387bf69a84ab8af0c3e01bd8072c60c1b5d728820b3cf9
-
SHA512
64577f9c6b5fb0613f56365ff98a2e3d632a70981ff801cf2632d81fa17c44b1cc7419931c21d2c0f0107dd21846c25fe450787dad23b92a48c3ecb568401435
-
SSDEEP
24576:HSc5TMSc5TeITMvRFhRRbNWoCfkYSEH3OqtwIuXckqjVnlqud+/2P+AkwEJ:HSZS5ITYbNbNWo4kSH3OqtwIrkqXfd+r
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/644-6-0x0000000005D00000-0x0000000005F14000-memory.dmp family_agenttesla -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
FiveFinder.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS FiveFinder.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer FiveFinder.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion FiveFinder.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FiveFinder.exedescription pid process Token: SeDebugPrivilege 644 FiveFinder.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/644-0-0x0000000000F40000-0x00000000010A6000-memory.dmpFilesize
1.4MB
-
memory/644-1-0x00000000744E0000-0x0000000074C90000-memory.dmpFilesize
7.7MB
-
memory/644-2-0x0000000006050000-0x00000000065F4000-memory.dmpFilesize
5.6MB
-
memory/644-3-0x0000000005980000-0x0000000005A12000-memory.dmpFilesize
584KB
-
memory/644-4-0x0000000005A90000-0x0000000005AA0000-memory.dmpFilesize
64KB
-
memory/644-5-0x0000000005A30000-0x0000000005A3A000-memory.dmpFilesize
40KB
-
memory/644-6-0x0000000005D00000-0x0000000005F14000-memory.dmpFilesize
2.1MB
-
memory/644-7-0x0000000005A90000-0x0000000005AA0000-memory.dmpFilesize
64KB
-
memory/644-8-0x00000000744E0000-0x0000000074C90000-memory.dmpFilesize
7.7MB
-
memory/644-9-0x0000000005A90000-0x0000000005AA0000-memory.dmpFilesize
64KB
-
memory/644-10-0x0000000005A90000-0x0000000005AA0000-memory.dmpFilesize
64KB