Analysis

  • max time kernel
    122s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    07/10/2024, 09:30 UTC

General

  • Target

    final_payload.exe

  • Size

    237KB

  • MD5

    98ca5c0430d77e315958f9d9c1d1d11d

  • SHA1

    4039ec85d1b8ab79275d0d1973a7ed2189430475

  • SHA256

    f1ef036b61d724edf304d171e67d4bd3faf0d27abd5486ae0893843a5464ed9b

  • SHA512

    4a30276ac8ac30453a2e048dd014d1ce180c4ccf3c07dd143f3f520695e81568011e91933d0bbfa0b1f46c0377dffa10bec43cf28292b215a7174e9c22d25ba4

  • SSDEEP

    3072:8S6yayKFhMvis4Kj62BIoR0Ea5t9H5aabLEJUb:8S6yayKF+vTDfIoR0Ea5t9E8LM

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.mohawatradingco.com
  • Port:
    587
  • Username:
    bi@mohawatradingco.com
  • Password:
    mohawatradingco.com
  • Email To:
    biz@mohawatradingco.com

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\final_payload.exe
    "C:\Users\Admin\AppData\Local\Temp\final_payload.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3028

Network

  • flag-us
    DNS
    ip-api.com
    final_payload.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
    Response
    ip-api.com
    IN A
    208.95.112.1
  • flag-us
    GET
    http://ip-api.com/line/?fields=hosting
    final_payload.exe
    Remote address:
    208.95.112.1:80
    Request
    GET /line/?fields=hosting HTTP/1.1
    Host: ip-api.com
    Connection: Keep-Alive
    Response
    HTTP/1.1 200 OK
    Date: Mon, 07 Oct 2024 09:31:07 GMT
    Content-Type: text/plain; charset=utf-8
    Content-Length: 5
    Access-Control-Allow-Origin: *
    X-Ttl: 52
    X-Rl: 43
  • 208.95.112.1:80
    http://ip-api.com/line/?fields=hosting
    http
    final_payload.exe
    310 B
    346 B
    5
    4

    HTTP Request

    GET http://ip-api.com/line/?fields=hosting

    HTTP Response

    200
  • 8.8.8.8:53
    ip-api.com
    dns
    final_payload.exe
    56 B
    72 B
    1
    1

    DNS Request

    ip-api.com

    DNS Response

    208.95.112.1

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3028-0-0x000000007420E000-0x000000007420F000-memory.dmp

    Filesize

    4KB

  • memory/3028-1-0x00000000002E0000-0x0000000000322000-memory.dmp

    Filesize

    264KB

  • memory/3028-2-0x0000000074200000-0x00000000748EE000-memory.dmp

    Filesize

    6.9MB

  • memory/3028-3-0x000000007420E000-0x000000007420F000-memory.dmp

    Filesize

    4KB

  • memory/3028-4-0x0000000074200000-0x00000000748EE000-memory.dmp

    Filesize

    6.9MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.