Analysis
-
max time kernel
30s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
04-12-2023 19:17
Static task
static1
Behavioral task
behavioral1
Sample
ODENENF.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
ODENENF.exe
Resource
win10v2004-20231130-en
General
-
Target
ODENENF.exe
-
Size
258KB
-
MD5
c88213509925a156d10147f2f1310775
-
SHA1
cf0a20e3905e717593c9b94e7809160ab5d3e58a
-
SHA256
6412829db71df7f5cb7c5bd69093448d5ed82bd7716988c97b800527f10b2dc3
-
SHA512
f3f808fa50aa0157af2a177ed7f1dbe70c0ab55e5b6e9f23bbc6036c222c43b4d9ea051de2ed6d2ffdfc4adacc19de3f94b9da29c5904309826dcdb8a84c7d1c
-
SSDEEP
6144:R76Vihoiff9APwmzA8F5hJE+TB2PpOQrt8S681f+zl:R71hoWAPwmXF53E/ROQp8L81W
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://mydevelopmentstory.com - Port:
21 - Username:
[email protected] - Password:
ENugu@042EN
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 5 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ODENENF.exedescription pid process target process PID 2112 set thread context of 2100 2112 ODENENF.exe ODENENF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ODENENF.exepid process 2100 ODENENF.exe 2100 ODENENF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ODENENF.exedescription pid process Token: SeDebugPrivilege 2100 ODENENF.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ODENENF.exedescription pid process target process PID 2112 wrote to memory of 2100 2112 ODENENF.exe ODENENF.exe PID 2112 wrote to memory of 2100 2112 ODENENF.exe ODENENF.exe PID 2112 wrote to memory of 2100 2112 ODENENF.exe ODENENF.exe PID 2112 wrote to memory of 2100 2112 ODENENF.exe ODENENF.exe PID 2112 wrote to memory of 2100 2112 ODENENF.exe ODENENF.exe PID 2112 wrote to memory of 2100 2112 ODENENF.exe ODENENF.exe PID 2112 wrote to memory of 2100 2112 ODENENF.exe ODENENF.exe PID 2112 wrote to memory of 2100 2112 ODENENF.exe ODENENF.exe PID 2112 wrote to memory of 2100 2112 ODENENF.exe ODENENF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ODENENF.exe"C:\Users\Admin\AppData\Local\Temp\ODENENF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\ODENENF.exe"C:\Users\Admin\AppData\Local\Temp\ODENENF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2100