Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 17:16
Static task
static1
Behavioral task
behavioral1
Sample
RFQSP301123PDF.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
RFQSP301123PDF.exe
Resource
win10v2004-20231130-en
General
-
Target
RFQSP301123PDF.exe
-
Size
814KB
-
MD5
2b30f0ccd92928eb9bf8e18a3e7146df
-
SHA1
5ff864bfe73d8d8ce236763de7b4ba77a967570b
-
SHA256
48363aae8da413d26123fd250d665bd9bbb2123a233725d15aab0e9b9424d560
-
SHA512
d98db889a57d9422ca846726728c33ad49539f79e1c0e45774d8eea84c616b5769ec1d236ca5a3e174a2f5dde40ee6c24d568c4c5d011f4fb17375387c6c5782
-
SSDEEP
12288:vW0tW8G34/uK45+po2YnBlBfdA9sCOGMGb6ikxAfzIwJ+FupSh5qA1AT2z3/:s34/up+pJ8lBwsCOGF6i7JdpSzqcz
Malware Config
Extracted
agenttesla
https://discord.com/api/webhooks/1179499222463168573/PVUpZ1J1JtDuKSWVcXWilMvIlKb2Qchu7QhEEb_1sKVtTXLAEfM5aRMADIF1EWL0ZjkF
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQSP301123PDF.exedescription pid process target process PID 2112 set thread context of 2356 2112 RFQSP301123PDF.exe RFQSP301123PDF.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RFQSP301123PDF.exeRFQSP301123PDF.exepid process 2112 RFQSP301123PDF.exe 2112 RFQSP301123PDF.exe 2356 RFQSP301123PDF.exe 2356 RFQSP301123PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQSP301123PDF.exeRFQSP301123PDF.exedescription pid process Token: SeDebugPrivilege 2112 RFQSP301123PDF.exe Token: SeDebugPrivilege 2356 RFQSP301123PDF.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
RFQSP301123PDF.exedescription pid process target process PID 2112 wrote to memory of 2356 2112 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 2112 wrote to memory of 2356 2112 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 2112 wrote to memory of 2356 2112 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 2112 wrote to memory of 2356 2112 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 2112 wrote to memory of 2356 2112 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 2112 wrote to memory of 2356 2112 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 2112 wrote to memory of 2356 2112 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 2112 wrote to memory of 2356 2112 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 2112 wrote to memory of 2356 2112 RFQSP301123PDF.exe RFQSP301123PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQSP301123PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQSP301123PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\RFQSP301123PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQSP301123PDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2356