Analysis
-
max time kernel
148s -
max time network
61s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
29-04-2024 09:27
General
-
Target
pedido 24-NARC-00248.exe
-
Size
675KB
-
MD5
14e65321e8e87acf51a04209b59d575d
-
SHA1
5bf2b65f5aa56a16cbe5c6c551ed7a6cabb4f2cb
-
SHA256
fc87539e22a02272651741ae48f23ce39f83be4f282cf923f22d3aa58500d76b
-
SHA512
f97125ffd012a7f3647323055dc2ed418f12d09b6d0fd2ac6204b462b9a1fd1c63da523a3510359eef926f4a0f283b23d8c600f1a602c83ef30cca1db806ffed
-
SSDEEP
12288:3Olv312Z3Rv0n3HbZe7rA6LDP8W9ptv/C5CpOEHdoDcvuHqWKQS38vYZ:3OJ312ZRv23bZucQDfXCMXGCoqHQU8va
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.indra-precision.co.th - Port:
21 - Username:
[email protected] - Password:
UW8f$y[fBOEs
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\pedido 24-NARC-00248.exe"C:\Users\Admin\AppData\Local\Temp\pedido 24-NARC-00248.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3352-0-0x00000000005A0000-0x0000000000650000-memory.dmpFilesize
704KB
-
memory/3352-1-0x0000000075230000-0x00000000759E0000-memory.dmpFilesize
7.7MB
-
memory/3352-2-0x00000000055F0000-0x0000000005B94000-memory.dmpFilesize
5.6MB
-
memory/3352-3-0x0000000005040000-0x00000000050D2000-memory.dmpFilesize
584KB
-
memory/3352-4-0x00000000051F0000-0x0000000005200000-memory.dmpFilesize
64KB
-
memory/3352-5-0x0000000005000000-0x000000000500A000-memory.dmpFilesize
40KB
-
memory/3352-6-0x0000000005010000-0x0000000005030000-memory.dmpFilesize
128KB
-
memory/3352-7-0x0000000005270000-0x0000000005284000-memory.dmpFilesize
80KB
-
memory/3352-8-0x00000000082C0000-0x0000000008346000-memory.dmpFilesize
536KB
-
memory/3352-9-0x000000000B880000-0x000000000B91C000-memory.dmpFilesize
624KB
-
memory/3352-10-0x0000000005580000-0x00000000055C2000-memory.dmpFilesize
264KB
-
memory/3352-11-0x000000000B7E0000-0x000000000B846000-memory.dmpFilesize
408KB
-
memory/3352-12-0x0000000075230000-0x00000000759E0000-memory.dmpFilesize
7.7MB
-
memory/3352-13-0x00000000051F0000-0x0000000005200000-memory.dmpFilesize
64KB
-
memory/3352-14-0x0000000005BF0000-0x0000000005C40000-memory.dmpFilesize
320KB