Analysis
-
max time kernel
146s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
26-04-2024 08:05
General
-
Target
CHEMICAL SPECIFICATIONS.exe
-
Size
1.0MB
-
MD5
f564f9251bd76e796906aebb35ae478a
-
SHA1
e6b87808a2a2b26bcda776e971e442598402b2bd
-
SHA256
386af47105d3e905ab5c1327fa634dd38e8af6d29f380cfbf0546549734d22f9
-
SHA512
c979305cd640afe04056d36e327acee49d4c0fa9af77cd7ec9fa6463e7b0c145400be854deda5f8739956cdd95e3bceb44306d16f899487aee53e056f7144308
-
SSDEEP
24576:9wzV9w070Ln2qfI3F2IJ0mxhyEtWj9gBrZkpsZIjd4bnFdtJB:wV8n2q02IdnyPg1ZyGIjd4bFdtJB
Score
10/10
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
1.$.#t~cK;4C
Extracted
Family
agenttesla
Credentials
Protocol: ftp- Host:
ftp://ftp.ercolina-usa.com - Port:
21 - Username:
[email protected] - Password:
1.$.#t~cK;4C
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\CHEMICAL SPECIFICATIONS.exe"C:\Users\Admin\AppData\Local\Temp\CHEMICAL SPECIFICATIONS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2520-10-0x0000000006B70000-0x0000000006BC0000-memory.dmpFilesize
320KB
-
memory/2520-14-0x0000000003040000-0x0000000003050000-memory.dmpFilesize
64KB
-
memory/2520-13-0x00000000749D0000-0x0000000075180000-memory.dmpFilesize
7.7MB
-
memory/2520-12-0x0000000006C10000-0x0000000006C1A000-memory.dmpFilesize
40KB
-
memory/2520-4-0x0000000000400000-0x0000000000448000-memory.dmpFilesize
288KB
-
memory/2520-5-0x00000000749D0000-0x0000000075180000-memory.dmpFilesize
7.7MB
-
memory/2520-6-0x0000000005AF0000-0x0000000006094000-memory.dmpFilesize
5.6MB
-
memory/2520-7-0x0000000003040000-0x0000000003050000-memory.dmpFilesize
64KB
-
memory/2520-8-0x00000000056B0000-0x0000000005716000-memory.dmpFilesize
408KB
-
memory/2520-11-0x0000000006C60000-0x0000000006CF2000-memory.dmpFilesize
584KB
-
memory/3704-3-0x00000168DC120000-0x00000168DC1BC000-memory.dmpFilesize
624KB
-
memory/3704-9-0x00007FFBD4550000-0x00007FFBD5011000-memory.dmpFilesize
10.8MB
-
memory/3704-0-0x00000168DA450000-0x00000168DA4C8000-memory.dmpFilesize
480KB
-
memory/3704-2-0x00000168F4AC0000-0x00000168F4AD0000-memory.dmpFilesize
64KB
-
memory/3704-1-0x00007FFBD4550000-0x00007FFBD5011000-memory.dmpFilesize
10.8MB