Analysis
-
max time kernel
116s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
01-12-2023 10:09
Static task
static1
Behavioral task
behavioral1
Sample
Report.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Report.exe
Resource
win10v2004-20231127-en
General
-
Target
Report.exe
-
Size
716KB
-
MD5
88e3289cd07d44b57f43af8c144db4dc
-
SHA1
e58d2886490dbb84e06c8d826fd3d9bbbd1276a1
-
SHA256
3540c1be8ab6e0eee1c27d3c5ef243953f986f0bf0e333da9a1b7012a01ee0c2
-
SHA512
50666c22d1c075833045b86a48076370d41ddbc1a3fb7afda3745d9860d8b8f8fe7a9cbc5ce1e9ba155a92a878bafb6ccf53297154ab9cf2d634c9a7f042e50d
-
SSDEEP
12288:imdI0sPziy+9tl/q/LkoIV99g0i556t3+aMuaigGP8pXDdRYUgn9Z9g5:im779GLkoIfe0i5564aB3D8dfYNm5
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.trisquarespl.com - Port:
587 - Username:
[email protected] - Password:
vphYSHb*2 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 api.ipify.org 38 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Report.exedescription pid process target process PID 2140 set thread context of 4428 2140 Report.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4068 4428 WerFault.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 4428 RegSvcs.exe 4428 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 4428 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Report.exedescription pid process target process PID 2140 wrote to memory of 4428 2140 Report.exe RegSvcs.exe PID 2140 wrote to memory of 4428 2140 Report.exe RegSvcs.exe PID 2140 wrote to memory of 4428 2140 Report.exe RegSvcs.exe PID 2140 wrote to memory of 4428 2140 Report.exe RegSvcs.exe PID 2140 wrote to memory of 4428 2140 Report.exe RegSvcs.exe PID 2140 wrote to memory of 4428 2140 Report.exe RegSvcs.exe PID 2140 wrote to memory of 4428 2140 Report.exe RegSvcs.exe PID 2140 wrote to memory of 4428 2140 Report.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Report.exe"C:\Users\Admin\AppData\Local\Temp\Report.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4428 -s 19803⤵
- Program crash
PID:4068
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 4428 -ip 44281⤵PID:3208