Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 18:24
Static task
static1
Behavioral task
behavioral1
Sample
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral2
Sample
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
Resource
win11-20240508-en
General
-
Target
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
-
Size
498KB
-
MD5
b616cc8c02b88cff3a1d36ab29673399
-
SHA1
34689314dda15bd7e84fb84e4cf09749f548bdd3
-
SHA256
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56
-
SHA512
21ed90d8b55b780c6dfd95e5ff6aab8fcd4818a7d199160532f43630ce4d97ccfc54a5624665c7a811b4c2ee9dba16488343181ce972d1bac3ce5aa8428121a3
-
SSDEEP
12288:abmJMxaP3/NCDptpDcC69kq6YX/ir+KY+1Nrmz:abm3PNC/6kq6YvirbYP
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.synergyinnovationsgroup.com - Port:
587 - Username:
[email protected] - Password:
C@p-Y8BoHc#? - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Loads dropped DLL 2 IoCs
Processes:
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exepid process 764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe 764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exepid process 2580 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.execd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exepid process 764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe 2580 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exedescription pid process target process PID 764 set thread context of 2580 764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe -
Drops file in Windows directory 1 IoCs
Processes:
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exedescription ioc process File opened for modification C:\Windows\Fonts\Apoplektikerens\Chateaubriand.Exi cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exepid process 2580 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe 2580 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe 2580 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exepid process 764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exedescription pid process Token: SeDebugPrivilege 2580 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exedescription pid process target process PID 764 wrote to memory of 2580 764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe PID 764 wrote to memory of 2580 764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe PID 764 wrote to memory of 2580 764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe PID 764 wrote to memory of 2580 764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe PID 764 wrote to memory of 2580 764 cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe"C:\Users\Admin\AppData\Local\Temp\cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\AppData\Local\Temp\cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe"C:\Users\Admin\AppData\Local\Temp\cd3c4e2367d2980a9809fca28a819e6d67bbb8f03a11bd3c5de0f3ce269d7c56.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4116,i,11266875042087428226,16669718873272757238,262144 --variations-seed-version --mojo-platform-channel-handle=3900 /prefetch:81⤵PID:4048
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5cff85c549d536f651d4fb8387f1976f2
SHA1d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e
SHA2568dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8
SHA512531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88
-
Filesize
5B
MD592877af70a45fd6a2ed7fe81e1236b78
SHA10b7f849446d3383546d15a480966084442cd2193
SHA2565860faf02b6bc6222ba5aca523560f0e364ccd8b67bee486fe8bf7c01d492ccb
SHA5128ac4145c8e388ddfe3cd94886f026260d917cab07903c533f3a26945019bc4a50e6f23f266acbb0cbae89130fa3242c9a5145e4218c3ef1deebccb58d1a64a43
-
Filesize
30B
MD5f15bfdebb2df02d02c8491bde1b4e9bd
SHA193bd46f57c3316c27cad2605ddf81d6c0bde9301
SHA256c87f2ff45bb530577fb8856df1760edaf1060ae4ee2934b17fdd21b7d116f043
SHA5121757ed4ae4d47d0c839511c18be5d75796224d4a3049e2d8853650ace2c5057c42040de6450bf90dd4969862e9ebb420cd8a34f8dd9c970779ed2e5459e8f2f1
-
Filesize
27B
MD5b93641813851b1ad166b8163e5aeddc9
SHA1642d989ceea62bcfd70fb74f3c62ade0c1c41d78
SHA2561628c6bee5afc85044309f45e34190bc9ce8bd9516e30792460e14362657d42d
SHA512eee31a0d51df3a7ba35ab4025f8d458c4d12b6f46412982ad34aef31d9e83c7070056a07777ed4b62fb3b92b376b618099374901ffe4f988fe0f853a0e57c8ec
-
Filesize
36B
MD5056fd9e747f45f72c12ed185db65ca8f
SHA196b9e5254b0c249a3393008a3fb160b18319532b
SHA256b46a1b647cd0ac5d5ed27381e1559a8ed6244c5bb7a0d27a41ab1784c40bef85
SHA51293f9577f9226d4c090034d81735a61a4505da2068e207d5885452637bfcf87f434278e58db281bce79d49e0d941bf3ead9550541b459fad386a7dd60e24c4446
-
Filesize
74B
MD516d513397f3c1f8334e8f3e4fc49828f
SHA14ee15afca81ca6a13af4e38240099b730d6931f0
SHA256d3c781a1855c8a70f5aca88d9e2c92afffa80541334731f62caa9494aa8a0c36
SHA5124a350b790fdd2fe957e9ab48d5969b217ab19fc7f93f3774f1121a5f140ff9a9eaaa8fa30e06a9ef40ad776e698c2e65a05323c3adf84271da1716e75f5183c3
-
Filesize
19B
MD5adfb82dfa0a66bd7e108a83873cbd4cf
SHA1caaf90327bb1e7b6731e154351f351bf3a3bb1c4
SHA2562ba412a038068300e9e4a538ed1d2cfcefa9a1b91f44408785d90a5d838a9228
SHA512103f484f3497eaf8cc231f09a5c565ba524d5af523970272d9a853ede106fc176f524bb6aeb8f7f59992e7a5651abb55b80134d539bb050aaf780624422d982b
-
Filesize
42B
MD50bcee8c5e82ac40f66e8751ce6ce68db
SHA1691dac6d13305f37d0131b4f9fbea4056464bdc3
SHA2565321dbf97f475fe82925e543c2b69a42e13e957b56e1f0383e752cef75461df1
SHA512a105f320202bddd4b0b41e73c4dca1f7fbc07c48a58f1fb9d5b31b9078715f47f665f963be5a81f322b9101bde7100e8a03bff01d29085b8acbe9f894f84ddc7
-
Filesize
59B
MD5a95db921a0fe57e6aefc41a5c0ffc732
SHA1cd717fa5761f8d489d5578dd9f1b8e2b60ed7b72
SHA256b03db7bd6621619695e753f43ae1928527e03361af8e4fabcc28592770ac934d
SHA512004cb8bda6852b10060c9866b12fc0b9127624efde028558e6a4da4482c98fe9df1ff5715eb07053174edd731771cac1130c1325f4b1836678f6386c739bcabb
-
Filesize
58B
MD5f67a3217c82ee42ab847ae31ec8d5791
SHA18ee856e52728943f838e10a85ebd2ffd0086d0f9
SHA25684876c01e6a993ee50e93b2095a67f4fe409d2b37ad23cfcd889840e89ae5cca
SHA512a2f57de19c3c71836a0028be375daa0d7bcf4dd0d64609a70db6769e2491d8250df1a2f9cd569bc8a30f0bc7782fa4aff13ecb6d2b16bdc6bf2cef6745e86dcd
-
Filesize
60B
MD57e828655d00269fe9d73e99520061456
SHA15341e579934758bc6e25ae7b8e4fb559d8fea2ff
SHA2560d1a557b0e8d85d8d78e905004b1a7037fc12d6ffa801ec4a44262ac28e4bb3c
SHA512c954c3ed0038f3888cdaf33232dad08370d5204e8054a381381959bcd1bd2125807ad3488ac94d4871db5310dc8f64b721307af1fb2711c22e4860e6d11e8081
-
Filesize
16B
MD51a069d3d8cca839a3c2f44a0e833d67c
SHA12bdc93e3d3aac0914cd4d3d43210bc2b2c7f09cf
SHA2560c09cbcf0803dc2c44739757d37fe7f33fa193d747df71db3172e68aa0ddb309
SHA512970ed67a84e4132b0336cd8f7c07c4ab6dc56ce97993b64e4e94a80e76ee7bd4ca04349cd0113df5e04053fbfde9d27c3cb5ab61a9492d584b7febfcaddf53e2
-
Filesize
21B
MD5536389bbf053b80ce24ccb866d88062d
SHA16b73170d96a856ed910dad0c6da873ef30f90396
SHA25643cb47f4df5b0c44fda22501a37e5ea542847cb48c2e184e10d47dd20900c2e4
SHA5126d86692b95765720e371e1c026eeaa8adcb4a166c733a172d6a578b67e9cf604c12a907ea927e494463c6102a40262a1f0b4059c62b330110d64f4c5b8208a29
-
Filesize
31B
MD55415d7b5f473470da156e7453759be0a
SHA158cd7f10d07971346f26146e8fd7103f421e094a
SHA256761068ce3e6a6df09bf30f006f40a21d1ea84dad04f61906ac807f68eda52947
SHA512560af3a778d993cdd475f90e9a8df55b7e402291cf1787b73d1d5c3f1c4366975282b3685c51c59b2a3f3bdb2374b94aeda84ceaa1b65973278168546eb239f8
-
Filesize
45B
MD531d61c76e79aeb7a47ea32ae17caf8d1
SHA1e6a1c27f56f4d1b488693006ac7b939019982d54
SHA2566460a03b8efc3e44cf547b6828f0f80ecdff029fbf0046ec28939b5c64040eab
SHA51243c1d26a322f5a1fc1c0700e0baf6be63f8d22bc1685231f332e188ee1a074400b838e418676b6e75bf38c6aa622afa01eccc8bef2294029a64e44ee40fe1f19
-
Filesize
56B
MD553b8f59e083aa7c1b4fe5ed372e3e7e4
SHA198782aed5619d59ed36429277fe238727387955e
SHA256bc97a078a44781b51dc6a3d5c38147c918c8311459c1c3d5d272002c513a68af
SHA5125ef8041026150b346839577e782a4ace6b2c9b2e3e0cc2ddd9e29dc34dbf598902e1895adf6353aaed6f56743c8d421d1dc898d188dbbaaa5bcca224e7306bb1
-
Filesize
52B
MD55d04a35d3950677049c7a0cf17e37125
SHA1cafdd49a953864f83d387774b39b2657a253470f
SHA256a9493973dd293917f3ebb932ab255f8cac40121707548de100d5969956bb1266
SHA512c7b1afd95299c0712bdbc67f9d2714926d6ec9f71909af615affc400d8d2216ab76f6ac35057088836435de36e919507e1b25be87b07c911083f964eb67e003b