Analysis
-
max time kernel
32s -
max time network
35s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
01/11/2022, 11:40
Static task
static1
Behavioral task
behavioral1
Sample
bank details.exe
Resource
win10v2004-20220812-en
5 signatures
300 seconds
General
-
Target
bank details.exe
-
Size
1.1MB
-
MD5
e2d07c1194008eacff161c48fcb8b1c5
-
SHA1
5436041b87687cc33fc7cc00dd10d0ed7249fe73
-
SHA256
a04c0b0273560589235ee79ec27c895ca5d8c4e3e389a13ed6efca03a552e650
-
SHA512
d251aaad669ea2a654037e062299569803c905477b0f9f8159c66d991608653fdffbc41abd6c24521fb31dfe6ef0299583690d07cc15bead5f269c9909b82939
-
SSDEEP
24576:H77e4piFmw5WhGAwp7cKCocrGiPBFDDdOCNKWU:tKlWh67cfocrdPcmKz
Score
10/10
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4900 set thread context of 2724 4900 bank details.exe 91 -
Suspicious behavior: EnumeratesProcesses 5 IoCs
pid Process 4900 bank details.exe 4900 bank details.exe 4900 bank details.exe 4900 bank details.exe 4900 bank details.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4900 bank details.exe Token: SeDebugPrivilege 2724 RegSvcs.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 4900 wrote to memory of 4856 4900 bank details.exe 89 PID 4900 wrote to memory of 4856 4900 bank details.exe 89 PID 4900 wrote to memory of 4856 4900 bank details.exe 89 PID 4900 wrote to memory of 3480 4900 bank details.exe 90 PID 4900 wrote to memory of 3480 4900 bank details.exe 90 PID 4900 wrote to memory of 3480 4900 bank details.exe 90 PID 4900 wrote to memory of 2724 4900 bank details.exe 91 PID 4900 wrote to memory of 2724 4900 bank details.exe 91 PID 4900 wrote to memory of 2724 4900 bank details.exe 91 PID 4900 wrote to memory of 2724 4900 bank details.exe 91 PID 4900 wrote to memory of 2724 4900 bank details.exe 91 PID 4900 wrote to memory of 2724 4900 bank details.exe 91 PID 4900 wrote to memory of 2724 4900 bank details.exe 91 PID 4900 wrote to memory of 2724 4900 bank details.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\bank details.exe"C:\Users\Admin\AppData\Local\Temp\bank details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵PID:4856
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵PID:3480
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2724
-