Analysis
-
max time kernel
47s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
07-02-2023 01:04
Static task
static1
Behavioral task
behavioral1
Sample
4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe
Resource
win7-20220901-en
Behavioral task
behavioral2
Sample
4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe
Resource
win10v2004-20220812-en
General
-
Target
4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe
-
Size
290KB
-
MD5
a9ab51dfa1a6f5ab8228567f8436c953
-
SHA1
126534775336fef803809a9cc76f7efa1b6f9124
-
SHA256
4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1
-
SHA512
9fc3f8c5734672d510c56ba8a47d5d0e096bb61e34e9b3e6220bfeb07cef598003e8e40ec861c239de85210a119be71b3bb908da6ee8485100f337bc020e1aac
-
SSDEEP
6144:alTB6K9zVcNWxbdC8Bmd6891RxdEnbs+tE:cTQ85xbIUe6KJEng+y
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.mgcpakistan.com/ - Port:
21 - Username:
[email protected] - Password:
boygirl123456
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 6 IoCs
Processes:
resource yara_rule behavioral1/memory/1764-59-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1764-58-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1764-60-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1764-61-0x00000000004374CE-mapping.dmp family_agenttesla behavioral1/memory/1764-65-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1764-63-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exedescription pid process target process PID 1284 set thread context of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 1764 RegAsm.exe 1764 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1764 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exedescription pid process target process PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe PID 1284 wrote to memory of 1764 1284 4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe"C:\Users\Admin\AppData\Local\Temp\4c78821242f3d5ae0180a5b0239cfc94873f6680f66dfca8956f1d20e13bd3d1.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1284-54-0x0000000000290000-0x00000000002DE000-memory.dmpFilesize
312KB
-
memory/1764-55-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1764-56-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1764-59-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1764-58-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1764-60-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1764-61-0x00000000004374CE-mapping.dmp
-
memory/1764-65-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1764-63-0x0000000000400000-0x000000000043C000-memory.dmpFilesize
240KB
-
memory/1764-66-0x0000000075931000-0x0000000075933000-memory.dmpFilesize
8KB