Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
-
submitted
30-04-2024 00:31
General
-
Target
SecuriteInfo.com.Heur.32701.20065.exe
-
Size
783KB
-
MD5
f17de52fcf8876fe0f7dfe27938821ad
-
SHA1
643627151448795c6d296cc2c9c5be59937da4d9
-
SHA256
98b85ee0663117740bdac3c6af9fd2c637206f83be0978b865bc9cce1cc2eb51
-
SHA512
a6a3266955c430eff1a78612de56b4442d2818ec4363f8efd91a44c7dbbcf94a6d3731d47959496c05851c306e223f6826ab140ec373cd1e0ee5f052dcb1bce0
-
SSDEEP
24576:QlPmicd0uitF0I/tI6WHft8xjmq5c30l:QluicdaWHl8xy/k
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.starmech.net - Port:
587 - Username:
[email protected] - Password:
nics123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.32701.20065.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.32701.20065.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.32701.20065.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\tNRjyjsAFX.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tNRjyjsAFX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp405A.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.32701.20065.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Heur.32701.20065.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp405A.tmpFilesize
1KB
MD52de9eaa8754d456896f3515dae42bf1b
SHA19d7d3fd0fdbc085a59ec9b29a39ee36760a1f9d2
SHA25625df73625d6c07b7f3425717a582aaa6bb9457fe1efd23ed24a3eabaa011591d
SHA512af532107fc67304179a27d193ae67ad4b13515fe2d32b0aca4cba8fd7dbaaf3a3b676ba3648deb9196c115d1270f1047762b81ece84539e01249f9d3364006b9
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5e2de0a3219abc0da417bb212d0ab2635
SHA18cd51f368952e6799ab080811e596332dbcd2f87
SHA256e754cab5eb2b385493e2419b9de65dfc96f56e6531fd6bd7fb0ed8cdb2615c6f
SHA512553afde4619308ab606b21a6e9c7140b0f2de8e3ef01a5fe964579c2bd6e78fa0fc478c10168adcda5336e61ccb561ca8fdf4d78d425d830e1fbaebeaf0b27ed
-
memory/2192-4-0x0000000000580000-0x000000000058E000-memory.dmpFilesize
56KB
-
memory/2192-31-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/2192-0-0x0000000000840000-0x000000000090A000-memory.dmpFilesize
808KB
-
memory/2192-5-0x0000000000690000-0x00000000006A6000-memory.dmpFilesize
88KB
-
memory/2192-6-0x0000000004F00000-0x0000000004F84000-memory.dmpFilesize
528KB
-
memory/2192-2-0x00000000044C0000-0x0000000004500000-memory.dmpFilesize
256KB
-
memory/2192-1-0x0000000074500000-0x0000000074BEE000-memory.dmpFilesize
6.9MB
-
memory/2192-3-0x0000000000780000-0x0000000000798000-memory.dmpFilesize
96KB
-
memory/2428-19-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-30-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-29-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-27-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2428-25-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-23-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-21-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB
-
memory/2428-28-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB