Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
17/05/2024, 02:00
General
-
Target
d920f54205824893b67562d371ea565dc2ae8f1dc02b6e2e079ff0ec246563e6.exe
-
Size
66KB
-
MD5
40d4f9dce0a4c36281ac0fd748623f22
-
SHA1
b4ac62a557b720a82a89f279aebf062247ed686b
-
SHA256
d920f54205824893b67562d371ea565dc2ae8f1dc02b6e2e079ff0ec246563e6
-
SHA512
3bbe8979e950d3d4810b762f18496d91f3a867300d65e638d268030255f1f805f7479a44903f29d7382390a0462872f9af259b8ff5177552f143c8dc20b80705
-
SSDEEP
1536:uclZk2SFjwIcry68JT3KDJipMJQ2v83hGH:uclCw83JzK9kMJQ2vZH
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
d9GOyTceXsMT - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
-
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
-
Detects executables packed with SmartAssembly 1 IoCs
-
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
-
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
-
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
-
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d920f54205824893b67562d371ea565dc2ae8f1dc02b6e2e079ff0ec246563e6.exe"C:\Users\Admin\AppData\Local\Temp\d920f54205824893b67562d371ea565dc2ae8f1dc02b6e2e079ff0ec246563e6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Mrmjzj.exe"C:\Users\Admin\AppData\Local\Temp\Mrmjzj.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
93KB
MD593e85d15ef93ddf8ac964f84d9bec664
SHA1e3d58cca51afd2449a11a8a18c5a0f871dbca59c
SHA256816bb9cdaa18ffba5dbcedf69298718caac8a4ff6c674300a9299d0584a236c9
SHA512acd703192f69af97cd6d288ad43b3b6dc6e711c7747f25af05a0f0fe3619b5c503857d0f6dbe93b4d5dd411b8f0a51cf25b8596396c756cf7f3faed57b00c49c
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
320KB
-
Filesize
256KB
-
Filesize
7.7MB
-
Filesize
1.0MB
-
Filesize
2.8MB
-
Filesize
7.7MB
-
Filesize
24KB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
4KB
-
Filesize
2.2MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
480KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
336KB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
7.7MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
2.2MB
-
Filesize
7.7MB
-
Filesize
72KB
-
Filesize
792KB
-
Filesize
32KB
-
Filesize
344KB
-
Filesize
744KB