Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 09:24
Static task
static1
Behavioral task
behavioral1
Sample
RFQ2207004---140HQ-----_pdf .exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
RFQ2207004---140HQ-----_pdf .exe
Resource
win10v2004-20231127-en
General
-
Target
RFQ2207004---140HQ-----_pdf .exe
-
Size
1019KB
-
MD5
4d0ebc34ea0cb64d9bba7ec0af2951a4
-
SHA1
c315635a143e7d524b7dfae4239d219303af3b43
-
SHA256
e08872d907e4d85eb08e12941a9d2784455b7998055aac1866d79a6028647078
-
SHA512
29164bc957e299f4ee4a79586a0ff025a99038738387758f06e3980843408c1deff904ca83e9f91b71a887bbaf99e98f26a8d487096691ff57efabc1fc574f54
-
SSDEEP
24576:BRXxtO5drZN8jo7OKvw4lU+TTjh5IYT4dXFSndFLecp86tdYuO1QRkZzv:Bm3znIQ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mailbuilderbuilder.com - Port:
587 - Username:
[email protected] - Password:
Alluminio.1 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ2207004---140HQ-----_pdf .exedescription pid process target process PID 2876 set thread context of 2816 2876 RFQ2207004---140HQ-----_pdf .exe RFQ2207004---140HQ-----_pdf .exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RFQ2207004---140HQ-----_pdf .exepid process 2816 RFQ2207004---140HQ-----_pdf .exe 2816 RFQ2207004---140HQ-----_pdf .exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ2207004---140HQ-----_pdf .exeRFQ2207004---140HQ-----_pdf .exedescription pid process Token: SeDebugPrivilege 2876 RFQ2207004---140HQ-----_pdf .exe Token: SeDebugPrivilege 2816 RFQ2207004---140HQ-----_pdf .exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
RFQ2207004---140HQ-----_pdf .exedescription pid process target process PID 2876 wrote to memory of 2816 2876 RFQ2207004---140HQ-----_pdf .exe RFQ2207004---140HQ-----_pdf .exe PID 2876 wrote to memory of 2816 2876 RFQ2207004---140HQ-----_pdf .exe RFQ2207004---140HQ-----_pdf .exe PID 2876 wrote to memory of 2816 2876 RFQ2207004---140HQ-----_pdf .exe RFQ2207004---140HQ-----_pdf .exe PID 2876 wrote to memory of 2816 2876 RFQ2207004---140HQ-----_pdf .exe RFQ2207004---140HQ-----_pdf .exe PID 2876 wrote to memory of 2816 2876 RFQ2207004---140HQ-----_pdf .exe RFQ2207004---140HQ-----_pdf .exe PID 2876 wrote to memory of 2816 2876 RFQ2207004---140HQ-----_pdf .exe RFQ2207004---140HQ-----_pdf .exe PID 2876 wrote to memory of 2816 2876 RFQ2207004---140HQ-----_pdf .exe RFQ2207004---140HQ-----_pdf .exe PID 2876 wrote to memory of 2816 2876 RFQ2207004---140HQ-----_pdf .exe RFQ2207004---140HQ-----_pdf .exe PID 2876 wrote to memory of 2816 2876 RFQ2207004---140HQ-----_pdf .exe RFQ2207004---140HQ-----_pdf .exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ2207004---140HQ-----_pdf .exe"C:\Users\Admin\AppData\Local\Temp\RFQ2207004---140HQ-----_pdf .exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Users\Admin\AppData\Local\Temp\RFQ2207004---140HQ-----_pdf .exe"C:\Users\Admin\AppData\Local\Temp\RFQ2207004---140HQ-----_pdf .exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2816