Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows10-1703_x64 -
resource
win10-20231020-en -
resource tags
arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system -
submitted
05-12-2023 03:53
Static task
static1
Behavioral task
behavioral1
Sample
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe
Resource
win10-20231020-en
General
-
Target
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe
-
Size
823KB
-
MD5
77e7f5ee129d7a0eb6a063c6700083f6
-
SHA1
3809d6d83545814b6ca32ee97de22a5d9ce43114
-
SHA256
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d
-
SHA512
5933fba201b39e8e3768b2eae316e9ab2bce27446d96b521f044a7960f7402ee2fd44c5d1f5be5ff0e8390978e836c030b3b341039e2023aace9d7f39693611e
-
SSDEEP
12288:PWcXtW8G34/uK45+po2PUabkUh88z0IvoFMY1EUcCzetvc4en1ccxfD0whVS3UeJ:634/up+pJKY3o7NHiFcrn9xfnV+bJ
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6695508500:AAHkexS5oB1E5lJkAEKZx2DzV7hRPW1U52k/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2640874492-649017405-3475600720-1000\Software\Microsoft\Windows\CurrentVersion\Run\ydVSL = "C:\\Users\\Admin\\AppData\\Roaming\\ydVSL\\ydVSL.exe" 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exedescription pid process target process PID 4036 set thread context of 5052 4036 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exepid process 5052 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe 5052 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exedescription pid process Token: SeDebugPrivilege 5052 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exepid process 5052 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exedescription pid process target process PID 4036 wrote to memory of 5052 4036 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe PID 4036 wrote to memory of 5052 4036 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe PID 4036 wrote to memory of 5052 4036 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe PID 4036 wrote to memory of 5052 4036 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe PID 4036 wrote to memory of 5052 4036 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe PID 4036 wrote to memory of 5052 4036 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe PID 4036 wrote to memory of 5052 4036 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe PID 4036 wrote to memory of 5052 4036 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe 18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe"C:\Users\Admin\AppData\Local\Temp\18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Users\Admin\AppData\Local\Temp\18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe"C:\Users\Admin\AppData\Local\Temp\18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5052
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\18e7407574a68f77e1fae3d3c818d864b7a61b044e16805f684968335197cc7d.exe.log
Filesize1KB
MD50c2899d7c6746f42d5bbe088c777f94c
SHA1622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1
SHA2565b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458
SHA512ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078