Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 14:12
Static task
static1
Behavioral task
behavioral1
Sample
RFQ_SP_301123_PDF.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
RFQ_SP_301123_PDF.exe
Resource
win10v2004-20231130-en
General
-
Target
RFQ_SP_301123_PDF.exe
-
Size
814KB
-
MD5
2b30f0ccd92928eb9bf8e18a3e7146df
-
SHA1
5ff864bfe73d8d8ce236763de7b4ba77a967570b
-
SHA256
48363aae8da413d26123fd250d665bd9bbb2123a233725d15aab0e9b9424d560
-
SHA512
d98db889a57d9422ca846726728c33ad49539f79e1c0e45774d8eea84c616b5769ec1d236ca5a3e174a2f5dde40ee6c24d568c4c5d011f4fb17375387c6c5782
-
SSDEEP
12288:vW0tW8G34/uK45+po2YnBlBfdA9sCOGMGb6ikxAfzIwJ+FupSh5qA1AT2z3/:s34/up+pJ8lBwsCOGF6i7JdpSzqcz
Malware Config
Extracted
agenttesla
https://discord.com/api/webhooks/1179499222463168573/PVUpZ1J1JtDuKSWVcXWilMvIlKb2Qchu7QhEEb_1sKVtTXLAEfM5aRMADIF1EWL0ZjkF
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ_SP_301123_PDF.exedescription pid process target process PID 1764 set thread context of 2688 1764 RFQ_SP_301123_PDF.exe RFQ_SP_301123_PDF.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RFQ_SP_301123_PDF.exeRFQ_SP_301123_PDF.exepid process 1764 RFQ_SP_301123_PDF.exe 1764 RFQ_SP_301123_PDF.exe 2688 RFQ_SP_301123_PDF.exe 2688 RFQ_SP_301123_PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ_SP_301123_PDF.exeRFQ_SP_301123_PDF.exedescription pid process Token: SeDebugPrivilege 1764 RFQ_SP_301123_PDF.exe Token: SeDebugPrivilege 2688 RFQ_SP_301123_PDF.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
RFQ_SP_301123_PDF.exedescription pid process target process PID 1764 wrote to memory of 2688 1764 RFQ_SP_301123_PDF.exe RFQ_SP_301123_PDF.exe PID 1764 wrote to memory of 2688 1764 RFQ_SP_301123_PDF.exe RFQ_SP_301123_PDF.exe PID 1764 wrote to memory of 2688 1764 RFQ_SP_301123_PDF.exe RFQ_SP_301123_PDF.exe PID 1764 wrote to memory of 2688 1764 RFQ_SP_301123_PDF.exe RFQ_SP_301123_PDF.exe PID 1764 wrote to memory of 2688 1764 RFQ_SP_301123_PDF.exe RFQ_SP_301123_PDF.exe PID 1764 wrote to memory of 2688 1764 RFQ_SP_301123_PDF.exe RFQ_SP_301123_PDF.exe PID 1764 wrote to memory of 2688 1764 RFQ_SP_301123_PDF.exe RFQ_SP_301123_PDF.exe PID 1764 wrote to memory of 2688 1764 RFQ_SP_301123_PDF.exe RFQ_SP_301123_PDF.exe PID 1764 wrote to memory of 2688 1764 RFQ_SP_301123_PDF.exe RFQ_SP_301123_PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ_SP_301123_PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_SP_301123_PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Users\Admin\AppData\Local\Temp\RFQ_SP_301123_PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQ_SP_301123_PDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2688