Analysis
-
max time kernel
11s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
04-12-2023 19:50
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
EBAT UPDATE.exe
Resource
win7-20231023-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
EBAT UPDATE.exe
Resource
win10v2004-20231127-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
EBAT UPDATE.exe
-
Size
2.9MB
-
MD5
3e961114f8cf1ccd1385b146dcdbebc3
-
SHA1
b51ff4fdeb4d7aa53d915949efbae9c3e8406133
-
SHA256
4743fca94b89530b4b6572de56ce36555a06c165a0c56493005272c23cc95f70
-
SHA512
f97dd32624c4d853044d2af5dd5af1ec34d2d08c408d35aa83a3bfcc3441b4a1649f71e83e4a271d6354e80e4f16a417dafc48761c156819ad01188b61bcc823
-
SSDEEP
49152:wH2RCImIU63mEO98RNgRWkpGXKovzNeV0l9lTxoTcBo:wH2RC2BAUaovIml9pxoT
Score
10/10
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4440-5-0x000002AB6BDC0000-0x000002AB6BFD6000-memory.dmp family_agenttesla -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
EBAT UPDATE.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS EBAT UPDATE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer EBAT UPDATE.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion EBAT UPDATE.exe -
Processes:
EBAT UPDATE.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000\Software\Microsoft\Internet Explorer\TypedURLs EBAT UPDATE.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
EBAT UPDATE.exepid process 4440 EBAT UPDATE.exe 4440 EBAT UPDATE.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
EBAT UPDATE.exedescription pid process Token: SeDebugPrivilege 4440 EBAT UPDATE.exe