Analysis
-
max time kernel
70s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
03-04-2023 11:33
Static task
static1
Behavioral task
behavioral1
Sample
RFQ NO 012594.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
RFQ NO 012594.exe
Resource
win10v2004-20230220-en
General
-
Target
RFQ NO 012594.exe
-
Size
641KB
-
MD5
82c6be495be71b2c1088d9edd48592a0
-
SHA1
bdd6ab76fbb5af5efead5fa697c2456b665451c7
-
SHA256
f7097b6e816feb26eabe4231e5dfeae2a8a3a6faab8c4a97146ef7afc67d17d9
-
SHA512
30ca1c97adeec08e029a079c3ee21a0268e8b6a16e65e20b7c27e537431c1d9e6390118223f11372b300a56acf7e82fbe878295335821e61ffe09807338014f9
-
SSDEEP
12288:83AGUow8J5Q8KpduJwtJG5KVXvwARTAWtQiyQT4W00HmGR6B:8wG9JxzMhwAtVHm
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5999752625:AAGTZbXz0C5Sg76h933VnEuCVZ9JnTnGUXU/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RFQ NO 012594.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RFQ NO 012594.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RFQ NO 012594.exe Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RFQ NO 012594.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 4 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ NO 012594.exedescription pid process target process PID 1232 set thread context of 1720 1232 RFQ NO 012594.exe RFQ NO 012594.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
RFQ NO 012594.exepid process 1232 RFQ NO 012594.exe 1232 RFQ NO 012594.exe 1232 RFQ NO 012594.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ NO 012594.exeRFQ NO 012594.exedescription pid process Token: SeDebugPrivilege 1232 RFQ NO 012594.exe Token: SeDebugPrivilege 1720 RFQ NO 012594.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
RFQ NO 012594.exedescription pid process target process PID 1232 wrote to memory of 1720 1232 RFQ NO 012594.exe RFQ NO 012594.exe PID 1232 wrote to memory of 1720 1232 RFQ NO 012594.exe RFQ NO 012594.exe PID 1232 wrote to memory of 1720 1232 RFQ NO 012594.exe RFQ NO 012594.exe PID 1232 wrote to memory of 1720 1232 RFQ NO 012594.exe RFQ NO 012594.exe PID 1232 wrote to memory of 1720 1232 RFQ NO 012594.exe RFQ NO 012594.exe PID 1232 wrote to memory of 1720 1232 RFQ NO 012594.exe RFQ NO 012594.exe PID 1232 wrote to memory of 1720 1232 RFQ NO 012594.exe RFQ NO 012594.exe PID 1232 wrote to memory of 1720 1232 RFQ NO 012594.exe RFQ NO 012594.exe PID 1232 wrote to memory of 1720 1232 RFQ NO 012594.exe RFQ NO 012594.exe -
outlook_office_path 1 IoCs
Processes:
RFQ NO 012594.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RFQ NO 012594.exe -
outlook_win_path 1 IoCs
Processes:
RFQ NO 012594.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3499517378-2376672570-1134980332-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RFQ NO 012594.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ NO 012594.exe"C:\Users\Admin\AppData\Local\Temp\RFQ NO 012594.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RFQ NO 012594.exe"C:\Users\Admin\AppData\Local\Temp\RFQ NO 012594.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1232-54-0x0000000000FE0000-0x0000000001086000-memory.dmpFilesize
664KB
-
memory/1232-55-0x0000000000520000-0x0000000000560000-memory.dmpFilesize
256KB
-
memory/1232-56-0x0000000000450000-0x0000000000468000-memory.dmpFilesize
96KB
-
memory/1232-57-0x0000000000520000-0x0000000000560000-memory.dmpFilesize
256KB
-
memory/1232-58-0x00000000056D0000-0x0000000005748000-memory.dmpFilesize
480KB
-
memory/1232-59-0x00000000008F0000-0x0000000000922000-memory.dmpFilesize
200KB
-
memory/1720-60-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1720-61-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1720-62-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1720-63-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1720-64-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1720-65-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1720-67-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1720-69-0x0000000000400000-0x0000000000430000-memory.dmpFilesize
192KB
-
memory/1720-70-0x0000000000460000-0x00000000004A0000-memory.dmpFilesize
256KB
-
memory/1720-88-0x0000000000460000-0x00000000004A0000-memory.dmpFilesize
256KB