Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 08:40
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.11933.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.11933.exe
Resource
win10v2004-20231127-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.11933.exe
-
Size
714KB
-
MD5
05e7f056cc047a522cc2f1593a7f1c4a
-
SHA1
2129143fea7010a8cf120629da20f4e8e8ffeada
-
SHA256
021dde3d8e8f0c8fa2fec8760b0f6e29d85bf2beb3a9c49902f20fc4ed462002
-
SHA512
c7b68cc72c7a9446e5f5054eedc28e0b3d66f01976df5bafd8a30217360c54cb8d932b46ca28d5905bea945e5c95e55c17e81f01003805bcbff7969868b2698a
-
SSDEEP
12288:T0dII+Ld/YsbZ2MenfeVNrBfpz4dkyYm+Cv+73qTtW:T0C9YCKeVNrBfpQkLmzO8
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.aksumer.com - Port:
21 - Username:
aksumerc - Password:
211116.kS*-
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.11933.exedescription pid process target process PID 2208 set thread context of 3052 2208 SecuriteInfo.com.Win32.PWSX-gen.11933.exe SecuriteInfo.com.Win32.PWSX-gen.11933.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.11933.exepid process 3052 SecuriteInfo.com.Win32.PWSX-gen.11933.exe 3052 SecuriteInfo.com.Win32.PWSX-gen.11933.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.11933.exedescription pid process Token: SeDebugPrivilege 3052 SecuriteInfo.com.Win32.PWSX-gen.11933.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.11933.exedescription pid process target process PID 2208 wrote to memory of 3052 2208 SecuriteInfo.com.Win32.PWSX-gen.11933.exe SecuriteInfo.com.Win32.PWSX-gen.11933.exe PID 2208 wrote to memory of 3052 2208 SecuriteInfo.com.Win32.PWSX-gen.11933.exe SecuriteInfo.com.Win32.PWSX-gen.11933.exe PID 2208 wrote to memory of 3052 2208 SecuriteInfo.com.Win32.PWSX-gen.11933.exe SecuriteInfo.com.Win32.PWSX-gen.11933.exe PID 2208 wrote to memory of 3052 2208 SecuriteInfo.com.Win32.PWSX-gen.11933.exe SecuriteInfo.com.Win32.PWSX-gen.11933.exe PID 2208 wrote to memory of 3052 2208 SecuriteInfo.com.Win32.PWSX-gen.11933.exe SecuriteInfo.com.Win32.PWSX-gen.11933.exe PID 2208 wrote to memory of 3052 2208 SecuriteInfo.com.Win32.PWSX-gen.11933.exe SecuriteInfo.com.Win32.PWSX-gen.11933.exe PID 2208 wrote to memory of 3052 2208 SecuriteInfo.com.Win32.PWSX-gen.11933.exe SecuriteInfo.com.Win32.PWSX-gen.11933.exe PID 2208 wrote to memory of 3052 2208 SecuriteInfo.com.Win32.PWSX-gen.11933.exe SecuriteInfo.com.Win32.PWSX-gen.11933.exe PID 2208 wrote to memory of 3052 2208 SecuriteInfo.com.Win32.PWSX-gen.11933.exe SecuriteInfo.com.Win32.PWSX-gen.11933.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11933.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11933.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11933.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.11933.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3052