Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
26-04-2024 08:17
General
-
Target
CHEMICAL SPECIFICATIONS.exe
-
Size
1.0MB
-
MD5
f564f9251bd76e796906aebb35ae478a
-
SHA1
e6b87808a2a2b26bcda776e971e442598402b2bd
-
SHA256
386af47105d3e905ab5c1327fa634dd38e8af6d29f380cfbf0546549734d22f9
-
SHA512
c979305cd640afe04056d36e327acee49d4c0fa9af77cd7ec9fa6463e7b0c145400be854deda5f8739956cdd95e3bceb44306d16f899487aee53e056f7144308
-
SSDEEP
24576:9wzV9w070Ln2qfI3F2IJ0mxhyEtWj9gBrZkpsZIjd4bnFdtJB:wV8n2q02IdnyPg1ZyGIjd4bFdtJB
Score
10/10
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
1.$.#t~cK;4C
Extracted
Family
agenttesla
Credentials
Protocol: ftp- Host:
ftp://ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
1.$.#t~cK;4C
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\CHEMICAL SPECIFICATIONS.exe"C:\Users\Admin\AppData\Local\Temp\CHEMICAL SPECIFICATIONS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1916-9-0x0000000005860000-0x00000000058C6000-memory.dmpFilesize
408KB
-
memory/1916-10-0x0000000006B90000-0x0000000006BE0000-memory.dmpFilesize
320KB
-
memory/1916-14-0x0000000005850000-0x0000000005860000-memory.dmpFilesize
64KB
-
memory/1916-13-0x00000000746B0000-0x0000000074E60000-memory.dmpFilesize
7.7MB
-
memory/1916-4-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/1916-5-0x00000000746B0000-0x0000000074E60000-memory.dmpFilesize
7.7MB
-
memory/1916-12-0x0000000006C30000-0x0000000006C3A000-memory.dmpFilesize
40KB
-
memory/1916-11-0x0000000006C80000-0x0000000006D12000-memory.dmpFilesize
584KB
-
memory/1916-6-0x0000000005E10000-0x00000000063B4000-memory.dmpFilesize
5.6MB
-
memory/1916-7-0x0000000005850000-0x0000000005860000-memory.dmpFilesize
64KB
-
memory/3976-0-0x000001FAB51E0000-0x000001FAB5258000-memory.dmpFilesize
480KB
-
memory/3976-8-0x00007FFECBF80000-0x00007FFECCA41000-memory.dmpFilesize
10.8MB
-
memory/3976-1-0x00007FFECBF80000-0x00007FFECCA41000-memory.dmpFilesize
10.8MB
-
memory/3976-3-0x000001FACF730000-0x000001FACF7CC000-memory.dmpFilesize
624KB
-
memory/3976-2-0x000001FAB5660000-0x000001FAB5670000-memory.dmpFilesize
64KB