Analysis
-
max time kernel
62s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
29-04-2024 09:27
General
-
Target
add0d680c45f1c8241ca9eb8f5997d5540f00a37a7522135e0675b1332335ec9.exe
-
Size
238KB
-
MD5
b6a505583abf47aca04e614aab181c15
-
SHA1
2a51b0ccc10629a167c8efd1613eabe149a03d50
-
SHA256
add0d680c45f1c8241ca9eb8f5997d5540f00a37a7522135e0675b1332335ec9
-
SHA512
f32b038cfaf5f8469ee889e8c39f9a99e5971c4053c8053a976ed93d4d4167081473c6d24d8d596c0e7b30050536bd88b736edd8b326657629336062c296e5f4
-
SSDEEP
3072:yZl2e7GdwPfnnP8LkdxJGVHWeZXLDmdeEUMk5iJGeq5Wy5NmxgA:yZl2TdwPfnnPjdxJGV2eZH4U9uGee5E
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
terminal4.veeblehosting.com - Port:
587 - Username:
[email protected] - Password:
Ifeanyi1987@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\add0d680c45f1c8241ca9eb8f5997d5540f00a37a7522135e0675b1332335ec9.exe"C:\Users\Admin\AppData\Local\Temp\add0d680c45f1c8241ca9eb8f5997d5540f00a37a7522135e0675b1332335ec9.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1736-0-0x0000000000F10000-0x0000000000F52000-memory.dmpFilesize
264KB
-
memory/1736-1-0x0000000074410000-0x0000000074BC0000-memory.dmpFilesize
7.7MB
-
memory/1736-2-0x0000000005F30000-0x00000000064D4000-memory.dmpFilesize
5.6MB
-
memory/1736-3-0x0000000003290000-0x00000000032A0000-memory.dmpFilesize
64KB
-
memory/1736-4-0x0000000005A80000-0x0000000005AE6000-memory.dmpFilesize
408KB
-
memory/1736-5-0x0000000006FF0000-0x0000000007040000-memory.dmpFilesize
320KB
-
memory/1736-6-0x00000000070E0000-0x000000000717C000-memory.dmpFilesize
624KB
-
memory/1736-7-0x0000000074410000-0x0000000074BC0000-memory.dmpFilesize
7.7MB
-
memory/1736-8-0x0000000003290000-0x00000000032A0000-memory.dmpFilesize
64KB
-
memory/1736-9-0x0000000007220000-0x00000000072B2000-memory.dmpFilesize
584KB
-
memory/1736-10-0x0000000007180000-0x000000000718A000-memory.dmpFilesize
40KB