Analysis
-
max time kernel
34s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
21-11-2024 12:06
General
-
Target
datasheet.exe
-
Size
639KB
-
MD5
27270bf6a969355e90e16289379cd6d1
-
SHA1
913f562df18cf266c3ae94605cce6c3ce084d472
-
SHA256
7292590b86e83ca5c6993b8c56578740d1f066c91baf3d95bee2bd34d9153f15
-
SHA512
814bec3009c19a298737385b783654110230cf902da1ebf18e2ad697901c884f8cf3f635979659ceedfa17aa5b79aa1b0860316baa2499b589d1586673730780
-
SSDEEP
12288:O7AgFdeiGKC0uCejzi9UhkL8WYCUeBhQi5UX9aLmmf5jq5XX2sMMnQ4HwXYJ:KAgeizWCeW94WYCnCEmi25H2OQ4QI
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
marcellinus360 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\datasheet.exe"C:\Users\Admin\AppData\Local\Temp\datasheet.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\datasheet.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rjBdvmaV.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rjBdvmaV" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2710.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d438d71b11643e9cfcc8f578a1e06fa3
SHA1a376d4e52be53fe9623b47e44d5c50764003866e
SHA256589f6520401522849f56a3bec534b2e40428a2ea5494c79249a1e9b3d761b1e5
SHA5129fa6b67171f1b205e5374ec4d6f89939b015a2c597bb9feaaacf71bf64d5bd9378ebcd44aa45cd3fcb87c99edcce708ceb7c979d4622027ff5b863adf8031e1b
-
Filesize
7KB
MD56a7f6fe6fc992f69095d839ff21185cb
SHA15c3bf0ca7877a674c6db26253a125864c5cd4f24
SHA256acb90f5d2e17cfda9b992ddeecedcb089da49561b5c3ee9d81cfa6708d13c622
SHA512372180ee65a1aa3a89f651b12467b1a49f4d45b26b5a16265c75cb61191cd361687bd9bb353fac1d9ed94ba5841517e17e39a93d2ad9b9e352f998a9cbb4c28a
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
264KB
-
Filesize
4KB
-
Filesize
264KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
544KB
-
Filesize
4KB
-
Filesize
72KB
-
Filesize
6.9MB
-
Filesize
664KB