Analysis
-
max time kernel
31s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2023 17:16
Static task
static1
Behavioral task
behavioral1
Sample
RFQSP301123PDF.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
RFQSP301123PDF.exe
Resource
win10v2004-20231130-en
General
-
Target
RFQSP301123PDF.exe
-
Size
814KB
-
MD5
2b30f0ccd92928eb9bf8e18a3e7146df
-
SHA1
5ff864bfe73d8d8ce236763de7b4ba77a967570b
-
SHA256
48363aae8da413d26123fd250d665bd9bbb2123a233725d15aab0e9b9424d560
-
SHA512
d98db889a57d9422ca846726728c33ad49539f79e1c0e45774d8eea84c616b5769ec1d236ca5a3e174a2f5dde40ee6c24d568c4c5d011f4fb17375387c6c5782
-
SSDEEP
12288:vW0tW8G34/uK45+po2YnBlBfdA9sCOGMGb6ikxAfzIwJ+FupSh5qA1AT2z3/:s34/up+pJ8lBwsCOGF6i7JdpSzqcz
Malware Config
Extracted
agenttesla
https://discord.com/api/webhooks/1179499222463168573/PVUpZ1J1JtDuKSWVcXWilMvIlKb2Qchu7QhEEb_1sKVtTXLAEfM5aRMADIF1EWL0ZjkF
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQSP301123PDF.exedescription pid process target process PID 4840 set thread context of 1344 4840 RFQSP301123PDF.exe RFQSP301123PDF.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4688 1344 WerFault.exe RFQSP301123PDF.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
RFQSP301123PDF.exeRFQSP301123PDF.exepid process 4840 RFQSP301123PDF.exe 4840 RFQSP301123PDF.exe 1344 RFQSP301123PDF.exe 1344 RFQSP301123PDF.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQSP301123PDF.exeRFQSP301123PDF.exedescription pid process Token: SeDebugPrivilege 4840 RFQSP301123PDF.exe Token: SeDebugPrivilege 1344 RFQSP301123PDF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
RFQSP301123PDF.exedescription pid process target process PID 4840 wrote to memory of 1344 4840 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 4840 wrote to memory of 1344 4840 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 4840 wrote to memory of 1344 4840 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 4840 wrote to memory of 1344 4840 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 4840 wrote to memory of 1344 4840 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 4840 wrote to memory of 1344 4840 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 4840 wrote to memory of 1344 4840 RFQSP301123PDF.exe RFQSP301123PDF.exe PID 4840 wrote to memory of 1344 4840 RFQSP301123PDF.exe RFQSP301123PDF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQSP301123PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQSP301123PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Users\Admin\AppData\Local\Temp\RFQSP301123PDF.exe"C:\Users\Admin\AppData\Local\Temp\RFQSP301123PDF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1344 -s 18803⤵
- Program crash
PID:4688
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1344 -ip 13441⤵PID:3732
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3