Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
29-04-2024 17:20
General
-
Target
SecuriteInfo.com.Heur.25013.20090.exe
-
Size
631KB
-
MD5
26aa84b983564ccd62143b164ffa7f62
-
SHA1
df39b8d79ca797d9dc594f62d705682b4ec7d634
-
SHA256
3029eb76575a110e9bfeadcee488cb4db00d25da6d8529e48d49f2fee0770f80
-
SHA512
ebc73b0faeb5886ff5910fc69d93293de875098ffb66037508e70f1a8c922312952a5d8341aa856787e4ffa670fc01fb40b288c067dba4aaec5e7c886c74bcf6
-
SSDEEP
12288:mZMAvNlMfHJ2zJWfs+Pk8xVv5x9+AeVmxgU5hT3ETB778Qm:jAw2zJWfs+s8HjnXgWhUTB0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.starmech.net - Port:
587 - Username:
[email protected] - Password:
nics123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25013.20090.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25013.20090.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25013.20090.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\yNoWANrisVl.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\yNoWANrisVl" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9F2C.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25013.20090.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.25013.20090.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9F2C.tmpFilesize
1KB
MD51c8f2f115ccfc56a0f2ea2011a3a141c
SHA126b92f820260aa582bf5bd638f0bd3a7eb684916
SHA256520413bf7871040793372e25fad85fced13e1d225bf4a3c08e631f21a1660113
SHA5120420f3d302bf7869ca7793fb5c51bec28589b22100a35d6eee474c3615d19966f4e64e1230d1cfd5689d6645316157197d53577e63a4b39c6b676788b0290363
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Y7FV5ZFVWMK2LC76PPJ2.tempFilesize
7KB
MD5349bb9589c9b083dc87df92efb5e5715
SHA1511a9c74ea53bfbea526007315b2830c6b557f2c
SHA256be0199ae74011081631fa1e982ffd1fde6e6227611a9961ed41fa42b50851ff0
SHA5127064d6b4d7319134458aca249874fbdd8c3063fc4badec4608847e3ef19b72285f3edfe3f593d964dc83b670ed796963801a05da4f21c5015d74a84f427f48b9
-
memory/2532-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2532-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2532-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/3036-6-0x0000000004CD0000-0x0000000004D54000-memory.dmpFilesize
528KB
-
memory/3036-1-0x0000000074940000-0x000000007502E000-memory.dmpFilesize
6.9MB
-
memory/3036-0-0x00000000001A0000-0x0000000000244000-memory.dmpFilesize
656KB
-
memory/3036-2-0x0000000004C90000-0x0000000004CD0000-memory.dmpFilesize
256KB
-
memory/3036-3-0x00000000004C0000-0x00000000004D8000-memory.dmpFilesize
96KB
-
memory/3036-5-0x0000000000530000-0x0000000000546000-memory.dmpFilesize
88KB
-
memory/3036-4-0x0000000000520000-0x000000000052E000-memory.dmpFilesize
56KB
-
memory/3036-31-0x0000000074940000-0x000000007502E000-memory.dmpFilesize
6.9MB