Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 07:15
Static task
static1
Behavioral task
behavioral1
Sample
FedEx Receipt_AWB#85021012746.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
FedEx Receipt_AWB#85021012746.exe
Resource
win10v2004-20231127-en
General
-
Target
FedEx Receipt_AWB#85021012746.exe
-
Size
694KB
-
MD5
ad35ef5346336bb9b2e0eedab376af8a
-
SHA1
5ead65c1717d8fb67de14013f42be25729838d14
-
SHA256
8a1aea514b658161770c47e07c649ee007937805cb5039bc90904bb85783dbff
-
SHA512
9bd5fe22878b0b9ddf55109bb2cf2e359d2aacd93ec0fc1d0d1701796316c176705e91bd89b7590122fd0201ff6211235f3d1d68cbfb7f8948328711dd19d1b7
-
SSDEEP
12288:Hl5nF8oVdqrlb9T5b+XKDl8lVBTMnd8fd/cqSbF5h/Lgse6q5g8goLg1vh3QjjyB:HlhqhbN5bWtJMn2dE5eh6qNLRjyFr
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
nl10.nlkoddos.com - Port:
587 - Username:
[email protected] - Password:
k[yH!8Z$AE;d - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
FedEx Receipt_AWB#85021012746.exedescription pid process target process PID 1992 set thread context of 2652 1992 FedEx Receipt_AWB#85021012746.exe FedEx Receipt_AWB#85021012746.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
FedEx Receipt_AWB#85021012746.exepid process 2652 FedEx Receipt_AWB#85021012746.exe 2652 FedEx Receipt_AWB#85021012746.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FedEx Receipt_AWB#85021012746.exedescription pid process Token: SeDebugPrivilege 2652 FedEx Receipt_AWB#85021012746.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
FedEx Receipt_AWB#85021012746.exepid process 2652 FedEx Receipt_AWB#85021012746.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
FedEx Receipt_AWB#85021012746.exedescription pid process target process PID 1992 wrote to memory of 2652 1992 FedEx Receipt_AWB#85021012746.exe FedEx Receipt_AWB#85021012746.exe PID 1992 wrote to memory of 2652 1992 FedEx Receipt_AWB#85021012746.exe FedEx Receipt_AWB#85021012746.exe PID 1992 wrote to memory of 2652 1992 FedEx Receipt_AWB#85021012746.exe FedEx Receipt_AWB#85021012746.exe PID 1992 wrote to memory of 2652 1992 FedEx Receipt_AWB#85021012746.exe FedEx Receipt_AWB#85021012746.exe PID 1992 wrote to memory of 2652 1992 FedEx Receipt_AWB#85021012746.exe FedEx Receipt_AWB#85021012746.exe PID 1992 wrote to memory of 2652 1992 FedEx Receipt_AWB#85021012746.exe FedEx Receipt_AWB#85021012746.exe PID 1992 wrote to memory of 2652 1992 FedEx Receipt_AWB#85021012746.exe FedEx Receipt_AWB#85021012746.exe PID 1992 wrote to memory of 2652 1992 FedEx Receipt_AWB#85021012746.exe FedEx Receipt_AWB#85021012746.exe PID 1992 wrote to memory of 2652 1992 FedEx Receipt_AWB#85021012746.exe FedEx Receipt_AWB#85021012746.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FedEx Receipt_AWB#85021012746.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Receipt_AWB#85021012746.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Users\Admin\AppData\Local\Temp\FedEx Receipt_AWB#85021012746.exe"C:\Users\Admin\AppData\Local\Temp\FedEx Receipt_AWB#85021012746.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2652