Managed XDR

16969a2d-cc1f-c2f4-c193-35a39c20e5c8.eml (Agent Tesla) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
16969a2d-cc1f-c2f4-c193-35a39c20e5c8.eml
Тип файла
ASCII text, with very long lines, with CRLF line terminators
Размер файла
1.8 MB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
e69e9974c41eac87d1531c1c18b769fff81cf696
SHA256
23192c53c19821e7b06e3fb041dbfde4f57536c29b82d9aa3b004d33625eb75b
MD5
f56b086f979001a94fa17047f3f9b9eb

Вредоносное ПО

  • Agent Tesla

Сигнатуры

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process
T1059 nsis_suspicious_filenames: Nsis contains files with suspicious names

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 nsis_archive: One of the packages is NSIS archive
T1027.002 nsis_suspicious_filenames: Nsis contains files with suspicious names
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1552 infostealer_browser: Retrieves personal information from local Internet browsers
T1503 infostealer_browser: Retrieves personal information from local Internet browsers
T1552 infostealer_mail: Collects personal data from local email clients
T1552 infostealer_ftp: Collects data from local FTP clients
T1552.001 infostealer_winscp: Collects information from configuration file of WinSCP
T1552.001 infostealer_vpn: Collects information about installed VPN software
T1555.003 cookie_files: Accesses cookie files
T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager
T1552 cookie_files: Accesses cookie files

Discovery

T1518 locates_browser: Attempts to identify where browsers are installed

Collection

T1114 infostealer_mail: Collects personal data from local email clients

Command and Control

T1071.001 network_http: Performs HTTP requests

Other

suricata_alert: Malicious traffic detected
network_suspicious_ftp: Performs suspicious FTP requests
runs_utility_without_cmdline: Runs system utility without arguments (non-typical usage)
create_process_failed: Could not start the process
network_ftp: Performs FTP requests
no_graphical_activity: No graphic activity
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
pe_overlay: PE file contains overlay
nsis_mouse_movement: NSIS tracks mouse movement
ce_info: FTP credentials Configuration Data found

Похожие отчёты