Analysis
-
max time kernel
107s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2023 13:36
Static task
static1
Behavioral task
behavioral1
Sample
GIB.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
GIB.exe
Resource
win10v2004-20230221-en
General
-
Target
GIB.exe
-
Size
455KB
-
MD5
e47210accd809054f50bb4f1c765004e
-
SHA1
a37d125ebe7641fd00addf211083cafe08335f06
-
SHA256
43d66102096b171d791582ce4ad7881c68946594a91fa9c4931e9fae6b70e806
-
SHA512
78a402c688b230fb5fdcdb41de13d5e4b4712be0bc55b71d2275cb6072c0734a3aef172d72088ade88d308b6337c1b928ebea5cfe8079b43dcb0e45775fc0252
-
SSDEEP
12288:ZjXTfWDjZOeitDtLlP547QTbIbjGV3u3Cj3YE2:J7WfZOfllIbjIeScD
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot2134979594:AAFk4QkrlHlt2a-q-EhIoHZBbzxSH0QxiBI/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 13 api.ipify.org 14 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
GIB.exedescription pid process target process PID 1612 set thread context of 4072 1612 GIB.exe jsc.exe -
Suspicious behavior: EnumeratesProcesses 28 IoCs
Processes:
GIB.exepid process 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe 1612 GIB.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
GIB.exejsc.exedescription pid process Token: SeDebugPrivilege 1612 GIB.exe Token: SeDebugPrivilege 4072 jsc.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
GIB.exedescription pid process target process PID 1612 wrote to memory of 1776 1612 GIB.exe InstallUtil.exe PID 1612 wrote to memory of 1776 1612 GIB.exe InstallUtil.exe PID 1612 wrote to memory of 4660 1612 GIB.exe cvtres.exe PID 1612 wrote to memory of 4660 1612 GIB.exe cvtres.exe PID 1612 wrote to memory of 2268 1612 GIB.exe ServiceModelReg.exe PID 1612 wrote to memory of 2268 1612 GIB.exe ServiceModelReg.exe PID 1612 wrote to memory of 4328 1612 GIB.exe AppLaunch.exe PID 1612 wrote to memory of 4328 1612 GIB.exe AppLaunch.exe PID 1612 wrote to memory of 2160 1612 GIB.exe aspnet_compiler.exe PID 1612 wrote to memory of 2160 1612 GIB.exe aspnet_compiler.exe PID 1612 wrote to memory of 1712 1612 GIB.exe aspnet_wp.exe PID 1612 wrote to memory of 1712 1612 GIB.exe aspnet_wp.exe PID 1612 wrote to memory of 1372 1612 GIB.exe AddInUtil.exe PID 1612 wrote to memory of 1372 1612 GIB.exe AddInUtil.exe PID 1612 wrote to memory of 2144 1612 GIB.exe CasPol.exe PID 1612 wrote to memory of 2144 1612 GIB.exe CasPol.exe PID 1612 wrote to memory of 4944 1612 GIB.exe RegSvcs.exe PID 1612 wrote to memory of 4944 1612 GIB.exe RegSvcs.exe PID 1612 wrote to memory of 3244 1612 GIB.exe EdmGen.exe PID 1612 wrote to memory of 3244 1612 GIB.exe EdmGen.exe PID 1612 wrote to memory of 3632 1612 GIB.exe ngen.exe PID 1612 wrote to memory of 3632 1612 GIB.exe ngen.exe PID 1612 wrote to memory of 3760 1612 GIB.exe SMSvcHost.exe PID 1612 wrote to memory of 3760 1612 GIB.exe SMSvcHost.exe PID 1612 wrote to memory of 1720 1612 GIB.exe csc.exe PID 1612 wrote to memory of 1720 1612 GIB.exe csc.exe PID 1612 wrote to memory of 3116 1612 GIB.exe WsatConfig.exe PID 1612 wrote to memory of 3116 1612 GIB.exe WsatConfig.exe PID 1612 wrote to memory of 4072 1612 GIB.exe jsc.exe PID 1612 wrote to memory of 4072 1612 GIB.exe jsc.exe PID 1612 wrote to memory of 4072 1612 GIB.exe jsc.exe PID 1612 wrote to memory of 4072 1612 GIB.exe jsc.exe PID 1612 wrote to memory of 4072 1612 GIB.exe jsc.exe PID 1612 wrote to memory of 4072 1612 GIB.exe jsc.exe PID 1612 wrote to memory of 4072 1612 GIB.exe jsc.exe PID 1612 wrote to memory of 4072 1612 GIB.exe jsc.exe -
outlook_office_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
Processes:
jsc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2805025096-2326403612-4231045514-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\GIB.exe"C:\Users\Admin\AppData\Local\Temp\GIB.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1612-133-0x0000016084130000-0x00000160841A6000-memory.dmpFilesize
472KB
-
memory/1612-134-0x000001609E700000-0x000001609E710000-memory.dmpFilesize
64KB
-
memory/4072-135-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/4072-137-0x0000000005720000-0x0000000005CC4000-memory.dmpFilesize
5.6MB
-
memory/4072-138-0x00000000050C0000-0x0000000005126000-memory.dmpFilesize
408KB
-
memory/4072-139-0x0000000005040000-0x0000000005050000-memory.dmpFilesize
64KB
-
memory/4072-140-0x00000000069D0000-0x0000000006A62000-memory.dmpFilesize
584KB
-
memory/4072-141-0x0000000006990000-0x000000000699A000-memory.dmpFilesize
40KB
-
memory/4072-142-0x0000000006AD0000-0x0000000006B20000-memory.dmpFilesize
320KB
-
memory/4072-143-0x0000000006E50000-0x0000000007012000-memory.dmpFilesize
1.8MB
-
memory/4072-144-0x0000000005040000-0x0000000005050000-memory.dmpFilesize
64KB