Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
31/08/2024, 15:23
General
-
Target
2f12d12ac06ba0762329e9d02c10d4202117c2201b9eaa8361a8e57c908373a6.ps1
-
Size
356KB
-
MD5
c86a89bfbb6695378fb207de8578d206
-
SHA1
f9a2ab9b571a77c51d5ef5ed90a1a62f4f0f98d5
-
SHA256
2f12d12ac06ba0762329e9d02c10d4202117c2201b9eaa8361a8e57c908373a6
-
SHA512
9dec301fe44b8a4f6966a5de911ba8dd8ed60c56cb67008a12feb6c21a6924dd978e0f787dc286cbc530ea5b5a8a73d6c3bcfb7fc2079bbc257f6c4722daad12
-
SSDEEP
1536:EUKRwevEPGKAjHFTNva119BaPffP5Cfx54awKUZDpUfIvXN9Ll68JxE9g5qvEgzJ:NeG
Malware Config
Extracted
agenttesla
http://103.125.190.248/j/p12m/mawa/30b1acecbda6c5d6ed4c.php
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Drops file in Drivers directory 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
outlook_office_path 1 IoCs
-
outlook_win_path 1 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\2f12d12ac06ba0762329e9d02c10d4202117c2201b9eaa8361a8e57c908373a6.ps11⤵
- Suspicious use of SetThreadContext
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l2wadotz\l2wadotz.cmdline"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES87BE.tmp" "c:\Users\Admin\AppData\Local\Temp\l2wadotz\CSC2F11E646AD34DA1AE363F3C08ECBEC.TMP"3⤵
-
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Drops file in Drivers directory
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56da414b1e2b3b3e58fe77a6f520a2aa2
SHA19f2e22418ce65ea1adb3c535fe4a961b21c86419
SHA256b623126a1ccce6cfcbc4049aa209c4ce349c10815cd3edc4f559506c13742946
SHA5122dba1e7a81624a9b5a6a7b77bd87a12cf3621a5b52b26f852f2a73f302c3c27cb83b5d271d4f38199cf98ce73502469c473eca893f3fc028efa75b3aa1be1d3c
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13KB
MD5ded6159efe79b1103abe5c28baabca65
SHA19344351c310e98c9c47adf1e9004e5e31560b6a5
SHA2564b009ecb7667e62c8f766753d175dec524239fd6cefa049e4104769c502ac117
SHA512023907defeb2671164a43bb38b707a5f3a95a4899296ec2d236a93e0fd704ba2a9a96345204ec1e811122f9fa52f893b9a95515d81358c4ecbe1589e09f709ad
-
Filesize
652B
MD5f5a32a6cd6c947ec7673d1c6de8b554c
SHA1832f720f7d56a891213d84694ca4d5d9d3535bcc
SHA256091b9e4e2df0258ae664f84e6079d7f0d22eb174b98adf2a759f02fd8711e02e
SHA5121bed1a87e523d011e63866627e9c6b329616b5414664cd2bced0875a5f25ad19a984f35237b9aa362e44d1a0171d895b4a4cbffcc5a0fa7e6ce842c01cc200d3
-
Filesize
13KB
MD5e03b1e7ba7f1a53a7e10c0fd9049f437
SHA13bb851a42717eeb588eb7deadfcd04c571c15f41
SHA2563ca2d456cf2f8d781f2134e1481bd787a9cb6f4bcaa2131ebbe0d47a0eb36427
SHA512a098a8e2a60a75357ee202ed4bbe6b86fa7b2ebae30574791e0d13dcf3ee95b841a14b51553c23b95af32a29cc2265afc285b3b0442f0454ea730de4d647383f
-
Filesize
327B
MD5531032d90a4054cd2c7b4f79847aed9e
SHA1217abb56bc227a6ae37489536ff9aabedeb45b47
SHA256bf69fb9b63856fb1dd1302c6a9eab27a4c499d186f469d35762978b1be7e96af
SHA512b7cf1fdd76386eb9cbc67f0a7e09d28947405abb15ee1bbb6856d4aa91b77b6d0d7276f5f60456c15096254e877a335e10466cf771dede1d02155f5c8c9147d5
-
Filesize
472KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
40KB
-
Filesize
8KB
-
Filesize
240KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
624KB
-
Filesize
96KB
-
Filesize
408KB
-
Filesize
320KB
-
Filesize
40KB