Analysis
-
max time kernel
93s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
19-09-2024 06:50
General
-
Target
hesaphareketi-.exe
-
Size
2.3MB
-
MD5
ac4a055b326c3cc696d5a716af016f0b
-
SHA1
8ad58e88d9c2611928aa0460dbcfe850b1f3a6ef
-
SHA256
b29d97da8d548a2b32d4b29ee923f0cd81861c025c355bf87caba17cd97b8e95
-
SHA512
2e5da6299549bdbff52fcaf82663b09e5616a3d287213f8d13c6d10077a071c5d5a92118887f4fba89aa13aba4bede6523527a5ba8a17905a8e734dc0988280b
-
SSDEEP
12288:deyEgM4kqujoE3sDWcpTOD9UhL7EjzutLDRgSGsRhTZjo/:dekTkq8LDKZ4+jRhNjo/
Score
10/10
Malware Config
Extracted
Credentials
Protocol: ftp- Host:
ftp.normagroup.com.tr - Port:
21 - Username:
[email protected] - Password:
ab+LNvim5PAo
Extracted
Family
agenttesla
Credentials
Protocol: ftp- Host:
ftp://ftp.normagroup.com.tr - Port:
21 - Username:
[email protected] - Password:
ab+LNvim5PAo
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Suspicious use of SetThreadContext 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 11 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\hesaphareketi-.exe"C:\Users\Admin\AppData\Local\Temp\hesaphareketi-.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.7MB
-
Filesize
320KB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
256KB
-
Filesize
624KB
-
Filesize
408KB
-
Filesize
10.8MB
-
Filesize
32KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
584KB