Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2023 19:17
Static task
static1
Behavioral task
behavioral1
Sample
ODENENF.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
ODENENF.exe
Resource
win10v2004-20231130-en
General
-
Target
ODENENF.exe
-
Size
258KB
-
MD5
c88213509925a156d10147f2f1310775
-
SHA1
cf0a20e3905e717593c9b94e7809160ab5d3e58a
-
SHA256
6412829db71df7f5cb7c5bd69093448d5ed82bd7716988c97b800527f10b2dc3
-
SHA512
f3f808fa50aa0157af2a177ed7f1dbe70c0ab55e5b6e9f23bbc6036c222c43b4d9ea051de2ed6d2ffdfc4adacc19de3f94b9da29c5904309826dcdb8a84c7d1c
-
SSDEEP
6144:R76Vihoiff9APwmzA8F5hJE+TB2PpOQrt8S681f+zl:R71hoWAPwmXF53E/ROQp8L81W
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://mydevelopmentstory.com - Port:
21 - Username:
[email protected] - Password:
ENugu@042EN
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 5 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ODENENF.exedescription pid process target process PID 4844 set thread context of 4712 4844 ODENENF.exe ODENENF.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ODENENF.exepid process 4712 ODENENF.exe 4712 ODENENF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ODENENF.exedescription pid process Token: SeDebugPrivilege 4712 ODENENF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ODENENF.exepid process 4712 ODENENF.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ODENENF.exedescription pid process target process PID 4844 wrote to memory of 4712 4844 ODENENF.exe ODENENF.exe PID 4844 wrote to memory of 4712 4844 ODENENF.exe ODENENF.exe PID 4844 wrote to memory of 4712 4844 ODENENF.exe ODENENF.exe PID 4844 wrote to memory of 4712 4844 ODENENF.exe ODENENF.exe PID 4844 wrote to memory of 4712 4844 ODENENF.exe ODENENF.exe PID 4844 wrote to memory of 4712 4844 ODENENF.exe ODENENF.exe PID 4844 wrote to memory of 4712 4844 ODENENF.exe ODENENF.exe PID 4844 wrote to memory of 4712 4844 ODENENF.exe ODENENF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ODENENF.exe"C:\Users\Admin\AppData\Local\Temp\ODENENF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4844 -
C:\Users\Admin\AppData\Local\Temp\ODENENF.exe"C:\Users\Admin\AppData\Local\Temp\ODENENF.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4712