Analysis
-
max time kernel
139s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2023 16:38
Behavioral task
behavioral1
Sample
QUOTATIONNOVQTRFA00541PDF.scr.exe
Resource
win7-20231201-en
windows7-x64
8 signatures
150 seconds
General
-
Target
QUOTATIONNOVQTRFA00541PDF.scr.exe
-
Size
974KB
-
MD5
83999a2ce0109ea4adbecb3a96744e8c
-
SHA1
4b94f4b23b157c7ae2df54e251cd4d22c683134d
-
SHA256
5030bc30c14139d9c48dc4cd175de6c966e83a9059035d18af33dda06f2541ab
-
SHA512
f4dfe9396a978d942cc5e8857549da838b17099f57a9fa4fc53761ee06bcff37f4100b263fdccff9565de3db40eb9c71694618433d64d41e66d8765a131328ae
-
SSDEEP
12288:W2BNuP+2ess0NdGRs5N4r8Zjw/KpBf2fLkzGHH1tfU7:J2JAk15N4r+8C72PfU
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
gator3220.hostgator.com - Port:
587 - Username:
[email protected] - Password:
28#75@ts76&&p!!@@
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
gator3220.hostgator.com - Port:
587 - Username:
[email protected] - Password:
28#75@ts76&&p!!@@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect PureLogs payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4536-0-0x0000000000070000-0x0000000000168000-memory.dmp family_purelogs -
Suspicious use of SetThreadContext 1 IoCs
Processes:
QUOTATIONNOVQTRFA00541PDF.scr.exedescription pid process target process PID 4536 set thread context of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe AppLaunch.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AppLaunch.exepid process 396 AppLaunch.exe 396 AppLaunch.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AppLaunch.exedescription pid process Token: SeDebugPrivilege 396 AppLaunch.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AppLaunch.exepid process 396 AppLaunch.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
QUOTATIONNOVQTRFA00541PDF.scr.exedescription pid process target process PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe AppLaunch.exe PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe AppLaunch.exe PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe AppLaunch.exe PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe AppLaunch.exe PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe AppLaunch.exe PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe AppLaunch.exe PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe AppLaunch.exe PID 4536 wrote to memory of 396 4536 QUOTATIONNOVQTRFA00541PDF.scr.exe AppLaunch.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\QUOTATIONNOVQTRFA00541PDF.scr.exe"C:\Users\Admin\AppData\Local\Temp\QUOTATIONNOVQTRFA00541PDF.scr.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4536 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:396