Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-01-2025 01:24
General
-
Target
Order_Request SO-124465.exe
-
Size
924KB
-
MD5
23af09149a763422a984f75d1aee99f7
-
SHA1
a744ec1977556c64257eade7e9f3bc8c903d14f9
-
SHA256
3c0b9b0b239b7a68824a36d9d9e724af717ae05fca697e0563cf93e24a22e335
-
SHA512
a8a6c94cbba7244de717508905af6791ffa8bd2a0a1e06776def50f76195deae3c9ff0a0e4922d76df5315654ee54e1ad1bc58e37871a255bce2f714f37dff00
-
SSDEEP
24576:GuA8h591jcS39X+6RJNBIQll+hQT2jiux51:8K31P9X3RFIQlluQsx/
Malware Config
Extracted
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
JaR4LTajHPY5
Extracted
agenttesla
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
JaR4LTajHPY5 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 1 IoCs
-
Blocklisted process makes network request 5 IoCs
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
-
Suspicious use of WriteProcessMemory 7 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order_Request SO-124465.exe"C:\Users\Admin\AppData\Local\Temp\Order_Request SO-124465.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -windowstyle hidden "$Foreswore=gc -raw 'C:\Users\Admin\AppData\Local\Ramtils\Formaldehyds\tyngdepunkterne\Underpicked.Und';$Tephillin=$Foreswore.SubString(17671,3);.$Tephillin($Foreswore) "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\SysWOW64\msiexec.exe"3⤵
- Blocklisted process makes network request
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
318KB
MD50e886555c53c6b022bd854987a2b4e25
SHA1c0ece93f59afd5960603ebd8f03cec70c1ac02cd
SHA25696be5bf1069766c16b4fadebd7936856a39eef4161e9ca9af08af1a6407b58a9
SHA5129193f1cf894128753e5f5b5c003ab5f4e1690385ba84e374dcac8a4bfcead56cae5a73eb13deceafebcab7e47ed56c33f232ddcf37550ed09cc5ce3e0b63ff36
-
Filesize
73KB
MD5d1dc147078aaa37825fd468f40a94b02
SHA1d610777737474a9d1646f81cca519297f1a00b16
SHA2566babf9579785aa0f9d87c4ab2a832d66945997e7169938cc302e8e7a5cba09f6
SHA51247a47aa58f604459a1b613ac41157547173a4befaf88353ae1e286e8e6882d718bed75d963b9fe817592523fd6f095c535c0b67883980057d6c6cbdf7faa2f05
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
6KB
MD551e63a9c5d6d230ef1c421b2eccd45dc
SHA1c499cdad5c613d71ed3f7e93360f1bbc5748c45d
SHA256cd8496a3802378391ec425dec424a14f5d30e242f192ec4eb022d767f9a2480f
SHA512c23d713c3c834b3397c2a199490aed28f28d21f5781205c24df5e1e32365985c8a55be58f06979df09222740ffa51f4da764ebc3d912cd0c9d56ab6a33cab522
-
Filesize
4KB
-
Filesize
216KB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
600KB
-
Filesize
104KB
-
Filesize
136KB
-
Filesize
5.6MB
-
Filesize
6.5MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
200KB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
652KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
168KB
-
Filesize
144KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
11.3MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
1.1MB
-
Filesize
11.3MB
-
Filesize
11.3MB
-
Filesize
18.3MB
-
Filesize
18.3MB
-
Filesize
256KB
-
Filesize
320KB
-
Filesize
624KB
-
Filesize
584KB
-
Filesize
40KB