Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2023 02:06
Behavioral task
behavioral1
Sample
6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exe
Resource
win10v2004-20231127-en
General
-
Target
6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exe
-
Size
249KB
-
MD5
04e2ad46dd45e2a1427eb7acafce3caf
-
SHA1
db31874eb01e192132457efa76064de524d3128f
-
SHA256
6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908
-
SHA512
46468644f7400d4556393f175585aa1ef85b5c0fa33420a31f5bd1886af3581ff4e3c15fa4b93e93b3fe9278151d798face601dcc346fe0a4a3e984153ec8f97
-
SSDEEP
3072:yaGiGa/qaKyfzsZMQzxh97eKo8Pajf1jQGMsK5ASgbR5rUQQ:yaGiGa/qaKyfzsZMe7HovjfhDMsygb3
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6609066655:AAFvSlYuljpA1ReJkQXiHiJh0XH1Axk0H-A/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3028534956-1709433221-1313273668-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "C:\\Users\\Admin\\AppData\\Roaming\\dllhost\\dllhost.exe" 6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 17 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exepid process 1900 6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exe 1900 6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exedescription pid process Token: SeDebugPrivilege 1900 6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exepid process 1900 6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exe"C:\Users\Admin\AppData\Local\Temp\6865a97fdf80736a014eef05467d29f0f19009860e964a07056cf38e10012908.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1900