Analysis
-
max time kernel
104s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
16-09-2024 01:50
Behavioral task
behavioral1
Sample
f943f06dedcd8017ca95691364f90df38fb8e9e4620bb5a5fc9739d0b2797446.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
f943f06dedcd8017ca95691364f90df38fb8e9e4620bb5a5fc9739d0b2797446.exe
Resource
win10v2004-20240802-en
General
-
Target
f943f06dedcd8017ca95691364f90df38fb8e9e4620bb5a5fc9739d0b2797446.exe
-
Size
234KB
-
MD5
088211e09899d6a902f83b94702a8560
-
SHA1
ac96782481cfc2c3a9db33e1e1fa560e7303548e
-
SHA256
f943f06dedcd8017ca95691364f90df38fb8e9e4620bb5a5fc9739d0b2797446
-
SHA512
357b23af38e19e289cec7cb57c948929e29b2e7c971f3f688a50c08bbd3764a6450a5aeadb9eb183e7b144d1b098f68dd7813bd8986df0d5e970db09a26094b1
-
SSDEEP
3072:8d0e4UfeCwl7L+hWlLzb9nJvc+guf2Omj5lVTDha:8d0e4UfeCc7L+hWxzb9nS+gY2OmxTl
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
aowapnzgtwgqowgt
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
aowapnzgtwgqowgt - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f943f06dedcd8017ca95691364f90df38fb8e9e4620bb5a5fc9739d0b2797446.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2984 f943f06dedcd8017ca95691364f90df38fb8e9e4620bb5a5fc9739d0b2797446.exe 2984 f943f06dedcd8017ca95691364f90df38fb8e9e4620bb5a5fc9739d0b2797446.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2984 f943f06dedcd8017ca95691364f90df38fb8e9e4620bb5a5fc9739d0b2797446.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f943f06dedcd8017ca95691364f90df38fb8e9e4620bb5a5fc9739d0b2797446.exe"C:\Users\Admin\AppData\Local\Temp\f943f06dedcd8017ca95691364f90df38fb8e9e4620bb5a5fc9739d0b2797446.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2984