Analysis
-
max time kernel
118s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 10:09
Static task
static1
Behavioral task
behavioral1
Sample
Report.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Report.exe
Resource
win10v2004-20231127-en
General
-
Target
Report.exe
-
Size
716KB
-
MD5
88e3289cd07d44b57f43af8c144db4dc
-
SHA1
e58d2886490dbb84e06c8d826fd3d9bbbd1276a1
-
SHA256
3540c1be8ab6e0eee1c27d3c5ef243953f986f0bf0e333da9a1b7012a01ee0c2
-
SHA512
50666c22d1c075833045b86a48076370d41ddbc1a3fb7afda3745d9860d8b8f8fe7a9cbc5ce1e9ba155a92a878bafb6ccf53297154ab9cf2d634c9a7f042e50d
-
SSDEEP
12288:imdI0sPziy+9tl/q/LkoIV99g0i556t3+aMuaigGP8pXDdRYUgn9Z9g5:im779GLkoIfe0i5564aB3D8dfYNm5
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.trisquarespl.com - Port:
587 - Username:
[email protected] - Password:
vphYSHb*2 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Report.exedescription pid process target process PID 2444 set thread context of 2684 2444 Report.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Report.exeRegSvcs.exepid process 2444 Report.exe 2444 Report.exe 2684 RegSvcs.exe 2684 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Report.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2444 Report.exe Token: SeDebugPrivilege 2684 RegSvcs.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
Report.exedescription pid process target process PID 2444 wrote to memory of 2600 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2600 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2600 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2600 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2600 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2600 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2600 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2636 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2636 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2636 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2636 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2636 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2636 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2636 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe PID 2444 wrote to memory of 2684 2444 Report.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Report.exe"C:\Users\Admin\AppData\Local\Temp\Report.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2600
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2636
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2684