Analysis
-
max time kernel
148s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
06-11-2024 09:29
General
-
Target
10029384756.exe
-
Size
842KB
-
MD5
8baafa32d7de3e0ba360e8df8c95e509
-
SHA1
65555b69b67f242a68c83a1735d7764bcbb417a0
-
SHA256
45a450142e00de4a60676d56cee58b35e2c59c0af562c7740cfc7c42c2175ba1
-
SHA512
ce7b7897a037269e646f7f71d00100c463582f3b786f90b68916b4dd5ff9e60e3d85fdcf3cb1ecbef1de9c4ba21fb9a4770b50b97d8a3c0b6735a2062274d0d4
-
SSDEEP
24576:lWO703h0R6ZL7h1sb1YDij7wt54gjOfHb:ookh0u91SYDrjc
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://mail.hearing-vision.com - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Loads dropped DLL 1 IoCs
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\10029384756.exe"C:\Users\Admin\AppData\Local\Temp\10029384756.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\10029384756.exe"C:\Users\Admin\AppData\Local\Temp\10029384756.exe"2⤵
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
40B
MD534b6486be479025fb25d832fa829a153
SHA1a7e5f7f6cfc1004b46181c718a250f603a19ea1c
SHA256bc3788143aae61e43980462fbb660958db120cf7975a990ce5598bdf80dcf5f3
SHA51271494342be8989348f9df287a8e6fdb3b850d9d3f6d1f106f2ca75d241da141514ea23530e02d38bee700217792ed18b425f0e143de31731b7858acfc0e07e30
-
Filesize
11KB
MD5fbe295e5a1acfbd0a6271898f885fe6a
SHA1d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA5122cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06
-
Filesize
16.4MB
-
Filesize
264KB