Analysis
-
max time kernel
149s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 17:30
Static task
static1
Behavioral task
behavioral1
Sample
c556abc2e04d6889cf0a059f9133af60.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
c556abc2e04d6889cf0a059f9133af60.exe
Resource
win10v2004-20231127-en
General
-
Target
c556abc2e04d6889cf0a059f9133af60.exe
-
Size
1008KB
-
MD5
c556abc2e04d6889cf0a059f9133af60
-
SHA1
80d768a65c200d34517bdf788e8ae649e4f4addf
-
SHA256
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220a
-
SHA512
1b766194cf4c7419366f9c05d1ba58ead14413125ce309825d4cd607edb4cb49bee7d4af46397df9d9bf27ea3418d96f642932ef068ea403f89a91b7e29162f7
-
SSDEEP
24576:p1tk+pJ16fvFeZ81CAH9ddcuq+vHWH32M4L:rZJUf9HH9Euqn32r
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
vqpF.#;cCodu - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c556abc2e04d6889cf0a059f9133af60.exedescription pid process target process PID 2032 set thread context of 2328 2032 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
c556abc2e04d6889cf0a059f9133af60.exepid process 2328 c556abc2e04d6889cf0a059f9133af60.exe 2328 c556abc2e04d6889cf0a059f9133af60.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2524 AcroRd32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
c556abc2e04d6889cf0a059f9133af60.exedescription pid process Token: SeDebugPrivilege 2328 c556abc2e04d6889cf0a059f9133af60.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AcroRd32.exepid process 2524 AcroRd32.exe 2524 AcroRd32.exe 2524 AcroRd32.exe 2524 AcroRd32.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
c556abc2e04d6889cf0a059f9133af60.exec556abc2e04d6889cf0a059f9133af60.exedescription pid process target process PID 2032 wrote to memory of 2328 2032 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2032 wrote to memory of 2328 2032 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2032 wrote to memory of 2328 2032 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2032 wrote to memory of 2328 2032 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2032 wrote to memory of 2328 2032 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2032 wrote to memory of 2328 2032 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2032 wrote to memory of 2328 2032 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2032 wrote to memory of 2328 2032 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2032 wrote to memory of 2328 2032 c556abc2e04d6889cf0a059f9133af60.exe c556abc2e04d6889cf0a059f9133af60.exe PID 2328 wrote to memory of 2524 2328 c556abc2e04d6889cf0a059f9133af60.exe AcroRd32.exe PID 2328 wrote to memory of 2524 2328 c556abc2e04d6889cf0a059f9133af60.exe AcroRd32.exe PID 2328 wrote to memory of 2524 2328 c556abc2e04d6889cf0a059f9133af60.exe AcroRd32.exe PID 2328 wrote to memory of 2524 2328 c556abc2e04d6889cf0a059f9133af60.exe AcroRd32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"C:\Users\Admin\AppData\Local\Temp\c556abc2e04d6889cf0a059f9133af60.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\EMBARGO SALARIAL_MURILLO UMAÑA ANTONIO ROSARIO.pdf"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2524
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5a1796055a901c8e4ed00eb206a280d27
SHA1397391ad3561a17e4f967438b97c0f00cc8fa2b8
SHA2569803556f82e7177a146c486a63eabdac9e5c960f2f62196ee7d2e7f84e7a0c1b
SHA512f997e3ebe2912084188525b2b0a5d5ab71db5c3546f39531f8ac97d7da54ae95af0e8d9402dfaf8ade0c5cbbda71bcad2cb20e2899955e298e2381fce04a7c74
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\EMBARGO SALARIAL_MURILLO UMAÑA ANTONIO ROSARIO.pdf
Filesize120KB
MD55fcdd51c3cd1d44b10275bec6e299ab5
SHA123f6b41f34950a0d6776b3b593c57474c7440797
SHA256abcd38761579196d1f5fd4efa7c5eebc1f1e32c031775cb5539acef2dfc24bf5
SHA51252c3bc80621716adbd9126d8ab284053bc298ab9c425ba455509851d32ae644eefb0856a33846eebe084d64d37495b479b21e7c26188aab4ed71f0b3a2ab50d6