Analysis
-
max time kernel
136s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
29-04-2024 09:27
General
-
Target
tempe.exe
-
Size
1.0MB
-
MD5
bebe5907e39cdbd2a097c0325f6b12ed
-
SHA1
8ebfa77700a40d7935e41c376c0f0962c62e1c5a
-
SHA256
c1f17712810a4cf0a12284d47e17b97f53edcf818993c50edc076ba3e7d9135d
-
SHA512
d107f99e99966d4f21e0ca363e80fe825cf3edc067eacf3eda68e1d8df846168809497d57336210070ddc68d9e4eb375f0d0f03bf7670e5cdf35817afd2d701c
-
SSDEEP
24576:+AHnh+eWsN3skA4RV1Hom2KXMmHaNdYpcqO6p5:ph+ZkldoPK8YaNCOo
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.cash4cars.nz - Port:
587 - Username:
[email protected] - Password:
logs2024! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of WriteProcessMemory 4 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tempe.exe"C:\Users\Admin\AppData\Local\Temp\tempe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\tempe.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/636-11-0x0000000000730000-0x0000000000772000-memory.dmpFilesize
264KB
-
memory/636-12-0x00000000750A0000-0x0000000075850000-memory.dmpFilesize
7.7MB
-
memory/636-13-0x0000000005390000-0x0000000005934000-memory.dmpFilesize
5.6MB
-
memory/636-14-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/636-15-0x0000000004EE0000-0x0000000004F46000-memory.dmpFilesize
408KB
-
memory/636-17-0x0000000006070000-0x00000000060C0000-memory.dmpFilesize
320KB
-
memory/636-18-0x0000000006160000-0x00000000061F2000-memory.dmpFilesize
584KB
-
memory/636-19-0x00000000060F0000-0x00000000060FA000-memory.dmpFilesize
40KB
-
memory/636-20-0x00000000750A0000-0x0000000075850000-memory.dmpFilesize
7.7MB
-
memory/636-21-0x00000000027C0000-0x00000000027D0000-memory.dmpFilesize
64KB
-
memory/3152-10-0x0000000001280000-0x0000000001284000-memory.dmpFilesize
16KB