Resubmissions
11-12-2024 00:18
241211-alx6gswnbx 1011-12-2024 00:16
241211-akl2ts1ldr 311-12-2024 00:14
241211-ajr7fswmd1 311-12-2024 00:12
241211-ag75wswlhz 1004-09-2024 14:53
240904-r9kzhasdqr 10Analysis
-
max time kernel
64s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
11-12-2024 00:12
General
-
Target
39b52356da1f35c5bad343eea8880f4d8bdd6c0228a7a9b85e5f0117c6296287.exe
-
Size
496KB
-
MD5
6285ae9a1953232716b7817c6bce1ba6
-
SHA1
8ea818cd4c61b6c53a5eea7f5ff19cdd9e60a8fb
-
SHA256
39b52356da1f35c5bad343eea8880f4d8bdd6c0228a7a9b85e5f0117c6296287
-
SHA512
2dbdebc96f92dfda7a146f3ade91af8b4ac66ab9dd9d51b5efb72a0b5cd789086b49cdb435e837a013d7a29e9a4a9c148ad5ece84e2129fad84c5944b9485581
-
SSDEEP
12288:fPVEdXo7/apwbQB6R751Hlie+XhTalWP6lTcNeH1ug2nMnMqDXWxbnN:3VKu/jbp3lihmUiKwHs
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot1944842353:AAF4AUZAlM1Eseaom3hr9cg9ol6hzIat_qw/sendDocument
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
AgentTesla payload 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 23 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 35 IoCs
-
Suspicious use of SendNotifyMessage 35 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 13 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\39b52356da1f35c5bad343eea8880f4d8bdd6c0228a7a9b85e5f0117c6296287.exe"C:\Users\Admin\AppData\Local\Temp\39b52356da1f35c5bad343eea8880f4d8bdd6c0228a7a9b85e5f0117c6296287.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aIsPxrpSE" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA39F.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\39b52356da1f35c5bad343eea8880f4d8bdd6c0228a7a9b85e5f0117c6296287.exe"C:\Users\Admin\AppData\Local\Temp\39b52356da1f35c5bad343eea8880f4d8bdd6c0228a7a9b85e5f0117c6296287.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
-
Filesize
520KB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
6.9MB
-
Filesize
384KB
-
Filesize
6.9MB
-
Filesize
5.9MB
-
Filesize
5.9MB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
240KB
-
Filesize
4KB
-
Filesize
240KB
-
Filesize
240KB