Analysis
-
max time kernel
121s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 07:17
Static task
static1
Behavioral task
behavioral1
Sample
PO-23-0146.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
PO-23-0146.exe
Resource
win10v2004-20231127-en
General
-
Target
PO-23-0146.exe
-
Size
760KB
-
MD5
88605a04041c844d0fa3e70f9a34dac4
-
SHA1
11bc6d37d5d1c7cb84c6a2de49bcee576d6006f9
-
SHA256
55117ad52823e037d345b3fd86b13e81f4b88aecbb548f733ee5beeb91209438
-
SHA512
bb02bd7586c14e67d165e287ca332947db6cbe929b78d0959c3239d45933084be8e15315983caa41c9c47325cd87ee188fdcc58f210b5c1576f6340ed81ebd29
-
SSDEEP
12288:TRLid7BR6wTuH+kbuU17TBM7jYnlLw8xkVj7SnfT2KlSIO/DpXc/DzHtIZJAf3P9:VLipBul17Te7El1GVS6sSIYdXc/NIZDm
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.lubdub.com - Port:
587 - Username:
[email protected] - Password:
J-y!2e_fWMH_XP8F_008 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO-23-0146.exedescription pid process target process PID 2660 set thread context of 2440 2660 PO-23-0146.exe PO-23-0146.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO-23-0146.exepid process 2440 PO-23-0146.exe 2440 PO-23-0146.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO-23-0146.exedescription pid process Token: SeDebugPrivilege 2440 PO-23-0146.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PO-23-0146.exedescription pid process target process PID 2660 wrote to memory of 2440 2660 PO-23-0146.exe PO-23-0146.exe PID 2660 wrote to memory of 2440 2660 PO-23-0146.exe PO-23-0146.exe PID 2660 wrote to memory of 2440 2660 PO-23-0146.exe PO-23-0146.exe PID 2660 wrote to memory of 2440 2660 PO-23-0146.exe PO-23-0146.exe PID 2660 wrote to memory of 2440 2660 PO-23-0146.exe PO-23-0146.exe PID 2660 wrote to memory of 2440 2660 PO-23-0146.exe PO-23-0146.exe PID 2660 wrote to memory of 2440 2660 PO-23-0146.exe PO-23-0146.exe PID 2660 wrote to memory of 2440 2660 PO-23-0146.exe PO-23-0146.exe PID 2660 wrote to memory of 2440 2660 PO-23-0146.exe PO-23-0146.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO-23-0146.exe"C:\Users\Admin\AppData\Local\Temp\PO-23-0146.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660 -
C:\Users\Admin\AppData\Local\Temp\PO-23-0146.exe"C:\Users\Admin\AppData\Local\Temp\PO-23-0146.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440