Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
01-12-2023 11:26
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe
Resource
win10v2004-20231127-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe
-
Size
716KB
-
MD5
da1d7932229b720f188bb1586de920db
-
SHA1
82028dd1c32fafee8ea4351a108b2d1f29cedd33
-
SHA256
5ed580a1aa1981a142791f7f00f62dcb95643e30188ca4852391c34ce658060d
-
SHA512
6cfd7bcc452055620d7ca1c759cd2b2a5b28f2cf50f5663157bed403eeba62b994408b5846adcb82b58d2a843692b3dea83de7a8e20c31fab03a4099b48c999c
-
SSDEEP
12288:P9dILHw5do+xUI3LcZ/lHDAuNp9ZzNzuj+/k0SCbNOX8hoSOATdFsv:P9ycdo+b3LcRlHDAcpLzN5/k0SChOXi0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.royalwealth.space - Port:
587 - Username:
[email protected] - Password:
sQxM4AdAZ5kY7As - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exedescription pid process target process PID 1200 set thread context of 3040 1200 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exepid process 3040 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe 3040 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exedescription pid process Token: SeDebugPrivilege 3040 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exedescription pid process target process PID 1200 wrote to memory of 3040 1200 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe PID 1200 wrote to memory of 3040 1200 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe PID 1200 wrote to memory of 3040 1200 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe PID 1200 wrote to memory of 3040 1200 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe PID 1200 wrote to memory of 3040 1200 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe PID 1200 wrote to memory of 3040 1200 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe PID 1200 wrote to memory of 3040 1200 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe PID 1200 wrote to memory of 3040 1200 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe PID 1200 wrote to memory of 3040 1200 SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.32559.23239.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040