Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
22-05-2024 14:32
Behavioral task
behavioral1
Sample
a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d.exe
Resource
win10v2004-20240508-en
General
-
Target
a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d.exe
-
Size
234KB
-
MD5
f8a0b524a9bf092127367ab435be80ca
-
SHA1
1bd52ef830a42a9bd5be0c2fec999fe86e55ebe7
-
SHA256
a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d
-
SHA512
1dc502faa615b30bc600e142ef8147d3a9d41eccb82142995b0ad9e7a57430789ccbaba89111e322b9d1b3432c9161c4f1436b7833c5690fdcfa3ad9f71540b5
-
SSDEEP
3072:uBAvjPLfl7zHvs0bYQvOAs34mM25rvP1tQJ:uBAvjPLfRzHvs0bYnCmMW31K
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
aYl@txL3 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d.exepid process 1636 a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d.exe 1636 a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d.exedescription pid process Token: SeDebugPrivilege 1636 a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d.exe"C:\Users\Admin\AppData\Local\Temp\a08e6eb5abf43b1b82c2cb670e74538eb02fed21a3a63b93cfbfbf8a22707c0d.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1636-0-0x000000007492E000-0x000000007492F000-memory.dmpFilesize
4KB
-
memory/1636-1-0x0000000001080000-0x00000000010C0000-memory.dmpFilesize
256KB
-
memory/1636-2-0x0000000074920000-0x000000007500E000-memory.dmpFilesize
6.9MB
-
memory/1636-3-0x000000007492E000-0x000000007492F000-memory.dmpFilesize
4KB
-
memory/1636-4-0x0000000074920000-0x000000007500E000-memory.dmpFilesize
6.9MB