Analysis
-
max time kernel
121s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
02-12-2023 01:38
Static task
static1
Behavioral task
behavioral1
Sample
e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe
Resource
win10v2004-20231127-en
General
-
Target
e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe
-
Size
362KB
-
MD5
042dad1d9bcc1a1f3b2f09626a1b193b
-
SHA1
3a1666c8d0c1fe2a272b03276f8679b334f6955f
-
SHA256
e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485
-
SHA512
e99e0f1af0bed42f563c6c5ec678cf4946e53fed72007757eeeea3ed3b3b18b27d7d41a47bc76fb40a74b7e144df76a707dfc6ac38f3c9ea801d0ae83bc02a0d
-
SSDEEP
6144:3BlL/D19uHdOE7Jox6sE0pyRxetVsS0Nzac5vVenQ4VCvNHW0OFg8sOqD:xxPu91ex6H4yOtVT0F7enQ4Mlm+3O4
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
zabqtxyqd.exezabqtxyqd.exepid process 2868 zabqtxyqd.exe 2720 zabqtxyqd.exe -
Loads dropped DLL 3 IoCs
Processes:
e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exezabqtxyqd.exepid process 2028 e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe 2028 e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe 2868 zabqtxyqd.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
zabqtxyqd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2952504676-3105837840-1406404655-1000\Software\Microsoft\Windows\CurrentVersion\Run\FdnCz = "C:\\Users\\Admin\\AppData\\Roaming\\FdnCz\\FdnCz.exe" zabqtxyqd.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zabqtxyqd.exedescription pid process target process PID 2868 set thread context of 2720 2868 zabqtxyqd.exe zabqtxyqd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
zabqtxyqd.exepid process 2720 zabqtxyqd.exe 2720 zabqtxyqd.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
zabqtxyqd.exepid process 2868 zabqtxyqd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zabqtxyqd.exedescription pid process Token: SeDebugPrivilege 2720 zabqtxyqd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
zabqtxyqd.exepid process 2720 zabqtxyqd.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exezabqtxyqd.exedescription pid process target process PID 2028 wrote to memory of 2868 2028 e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe zabqtxyqd.exe PID 2028 wrote to memory of 2868 2028 e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe zabqtxyqd.exe PID 2028 wrote to memory of 2868 2028 e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe zabqtxyqd.exe PID 2028 wrote to memory of 2868 2028 e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe zabqtxyqd.exe PID 2868 wrote to memory of 2720 2868 zabqtxyqd.exe zabqtxyqd.exe PID 2868 wrote to memory of 2720 2868 zabqtxyqd.exe zabqtxyqd.exe PID 2868 wrote to memory of 2720 2868 zabqtxyqd.exe zabqtxyqd.exe PID 2868 wrote to memory of 2720 2868 zabqtxyqd.exe zabqtxyqd.exe PID 2868 wrote to memory of 2720 2868 zabqtxyqd.exe zabqtxyqd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe"C:\Users\Admin\AppData\Local\Temp\e5b79b17be3cb037a71b9468dde3a5327f0d38a3d602fa65197187eda4f76485.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2028 -
C:\Users\Admin\AppData\Local\Temp\zabqtxyqd.exe"C:\Users\Admin\AppData\Local\Temp\zabqtxyqd.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\zabqtxyqd.exe"C:\Users\Admin\AppData\Local\Temp\zabqtxyqd.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
334KB
MD5dc6a0cdc45ed825a2a5f08d76ca12e3f
SHA19a633096874e8662ef51544dde439c1aea0dbecc
SHA256df5b0acff1db2a8e0240c397cb5156041c667cec2af1565561f4d170f8986419
SHA512211e0c22c1a4c55ae9b4a8b768c7fc4dcee5c4e86e1033aeb7c8c38bd02b9d79c7db75cf11c31a27b695113e6d6c8e65d36108b27cd0310b46487da87a846ff2
-
Filesize
177KB
MD5df16a43b03d6e57ee777e99eadcae596
SHA1a05e53fef5d3ca5219cfcf533de329dd5621f5a8
SHA2562177142f446cc0f571e3ac16badd47eb3da3a1d9b71fb67e0d1f716701b89eab
SHA512296383538c8c75f92ebede27f55b0231f9cd6a5ef16dc22a59d07612d12cce374de6fadb3c096c1123730e39a931b00e6f301c24775735c6285517a57dbffcac
-
Filesize
177KB
MD5df16a43b03d6e57ee777e99eadcae596
SHA1a05e53fef5d3ca5219cfcf533de329dd5621f5a8
SHA2562177142f446cc0f571e3ac16badd47eb3da3a1d9b71fb67e0d1f716701b89eab
SHA512296383538c8c75f92ebede27f55b0231f9cd6a5ef16dc22a59d07612d12cce374de6fadb3c096c1123730e39a931b00e6f301c24775735c6285517a57dbffcac
-
Filesize
177KB
MD5df16a43b03d6e57ee777e99eadcae596
SHA1a05e53fef5d3ca5219cfcf533de329dd5621f5a8
SHA2562177142f446cc0f571e3ac16badd47eb3da3a1d9b71fb67e0d1f716701b89eab
SHA512296383538c8c75f92ebede27f55b0231f9cd6a5ef16dc22a59d07612d12cce374de6fadb3c096c1123730e39a931b00e6f301c24775735c6285517a57dbffcac
-
Filesize
177KB
MD5df16a43b03d6e57ee777e99eadcae596
SHA1a05e53fef5d3ca5219cfcf533de329dd5621f5a8
SHA2562177142f446cc0f571e3ac16badd47eb3da3a1d9b71fb67e0d1f716701b89eab
SHA512296383538c8c75f92ebede27f55b0231f9cd6a5ef16dc22a59d07612d12cce374de6fadb3c096c1123730e39a931b00e6f301c24775735c6285517a57dbffcac
-
Filesize
177KB
MD5df16a43b03d6e57ee777e99eadcae596
SHA1a05e53fef5d3ca5219cfcf533de329dd5621f5a8
SHA2562177142f446cc0f571e3ac16badd47eb3da3a1d9b71fb67e0d1f716701b89eab
SHA512296383538c8c75f92ebede27f55b0231f9cd6a5ef16dc22a59d07612d12cce374de6fadb3c096c1123730e39a931b00e6f301c24775735c6285517a57dbffcac
-
Filesize
177KB
MD5df16a43b03d6e57ee777e99eadcae596
SHA1a05e53fef5d3ca5219cfcf533de329dd5621f5a8
SHA2562177142f446cc0f571e3ac16badd47eb3da3a1d9b71fb67e0d1f716701b89eab
SHA512296383538c8c75f92ebede27f55b0231f9cd6a5ef16dc22a59d07612d12cce374de6fadb3c096c1123730e39a931b00e6f301c24775735c6285517a57dbffcac
-
Filesize
177KB
MD5df16a43b03d6e57ee777e99eadcae596
SHA1a05e53fef5d3ca5219cfcf533de329dd5621f5a8
SHA2562177142f446cc0f571e3ac16badd47eb3da3a1d9b71fb67e0d1f716701b89eab
SHA512296383538c8c75f92ebede27f55b0231f9cd6a5ef16dc22a59d07612d12cce374de6fadb3c096c1123730e39a931b00e6f301c24775735c6285517a57dbffcac