Analysis
-
max time kernel
144s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
29/06/2023, 06:56
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20230621-en
General
-
Target
file.exe
-
Size
463KB
-
MD5
1a2cfd318c11427f0ce1b0cfac83480f
-
SHA1
4bdcf9570cb252ee93e8da3888a70d7825e65a1b
-
SHA256
877dcc901ba5abacac399a8f33ccaffa321eb4306a3a10f16fa9a2d183374cd7
-
SHA512
538156ee42e32fee0d0bdaf5d6e1587ff9422036d7503237498d2f613218d4ddaec3733afa0e9d224c4fb1d50032ff12c806fc72343695a74267e659b464981e
-
SSDEEP
12288:uIFAplx5LmAFNaxAqm/OMqgcG2IWIvvwZUN9XPc8l51VGWAxX3dkcWCiFoG5:OtfNaxAqm/OMqgcG2IWIvvwZUvPc8vec
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6186587654:AAGCfYz_-Ywr0jS403I82r-XCvl_CsLT1L0/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 18 api.ipify.org 19 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1016 set thread context of 4268 1016 file.exe 96 -
Suspicious behavior: EnumeratesProcesses 24 IoCs
pid Process 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 1016 file.exe 4268 jsc.exe 4268 jsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1016 file.exe Token: SeDebugPrivilege 4268 jsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4268 jsc.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 1016 wrote to memory of 3884 1016 file.exe 85 PID 1016 wrote to memory of 3884 1016 file.exe 85 PID 1016 wrote to memory of 3860 1016 file.exe 86 PID 1016 wrote to memory of 3860 1016 file.exe 86 PID 1016 wrote to memory of 2300 1016 file.exe 87 PID 1016 wrote to memory of 2300 1016 file.exe 87 PID 1016 wrote to memory of 2156 1016 file.exe 88 PID 1016 wrote to memory of 2156 1016 file.exe 88 PID 1016 wrote to memory of 3120 1016 file.exe 89 PID 1016 wrote to memory of 3120 1016 file.exe 89 PID 1016 wrote to memory of 4840 1016 file.exe 90 PID 1016 wrote to memory of 4840 1016 file.exe 90 PID 1016 wrote to memory of 1952 1016 file.exe 91 PID 1016 wrote to memory of 1952 1016 file.exe 91 PID 1016 wrote to memory of 5096 1016 file.exe 92 PID 1016 wrote to memory of 5096 1016 file.exe 92 PID 1016 wrote to memory of 964 1016 file.exe 93 PID 1016 wrote to memory of 964 1016 file.exe 93 PID 1016 wrote to memory of 1364 1016 file.exe 94 PID 1016 wrote to memory of 1364 1016 file.exe 94 PID 1016 wrote to memory of 100 1016 file.exe 95 PID 1016 wrote to memory of 100 1016 file.exe 95 PID 1016 wrote to memory of 4268 1016 file.exe 96 PID 1016 wrote to memory of 4268 1016 file.exe 96 PID 1016 wrote to memory of 4268 1016 file.exe 96 PID 1016 wrote to memory of 4268 1016 file.exe 96 PID 1016 wrote to memory of 4268 1016 file.exe 96 PID 1016 wrote to memory of 4268 1016 file.exe 96 PID 1016 wrote to memory of 4268 1016 file.exe 96 PID 1016 wrote to memory of 4268 1016 file.exe 96 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"2⤵PID:3884
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵PID:3860
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"2⤵PID:2300
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"2⤵PID:2156
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵PID:3120
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵PID:4840
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵PID:1952
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"2⤵PID:5096
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"2⤵PID:964
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"2⤵PID:1364
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵PID:100
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4268
-