Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
05-12-2023 16:50
Static task
static1
Behavioral task
behavioral1
Sample
c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe
Resource
win10v2004-20231127-en
General
-
Target
c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe
-
Size
933KB
-
MD5
e4f8b6eee6be5f9102ee21d572dc0834
-
SHA1
3b00998371ee7c84e20bcbfd543ec45a8588d55f
-
SHA256
c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac
-
SHA512
3cec5ce85e4632ceaa2d3ab472ca143f4beb4f42c46ab1709b0ebc5ba043bce2946fda41300faa1f3445d9665d28e1f4f7fdabed3a85ca0c5bd83da0a8d21e1c
-
SSDEEP
12288:XdIcNJum2wDuyWZRO/GsxTz5llc3YyhFtbYcZ1peAXV8ApP7r9r/+ppppppppppR:XPNJum2wCyWZ0O+TH23DhscZ1pjp1q
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6471053992:AAFUlrUxhi5Jrpjikoc-P4r9ZbsXV_T9vj8/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exedescription pid process target process PID 2096 set thread context of 3048 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe MSBuild.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2480 3048 WerFault.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exeMSBuild.exepid process 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe 3048 MSBuild.exe 3048 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe Token: SeDebugPrivilege 3048 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exeMSBuild.exedescription pid process target process PID 2096 wrote to memory of 3048 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe MSBuild.exe PID 2096 wrote to memory of 3048 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe MSBuild.exe PID 2096 wrote to memory of 3048 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe MSBuild.exe PID 2096 wrote to memory of 3048 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe MSBuild.exe PID 2096 wrote to memory of 3048 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe MSBuild.exe PID 2096 wrote to memory of 3048 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe MSBuild.exe PID 2096 wrote to memory of 3048 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe MSBuild.exe PID 2096 wrote to memory of 3048 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe MSBuild.exe PID 2096 wrote to memory of 3048 2096 c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe MSBuild.exe PID 3048 wrote to memory of 2480 3048 MSBuild.exe WerFault.exe PID 3048 wrote to memory of 2480 3048 MSBuild.exe WerFault.exe PID 3048 wrote to memory of 2480 3048 MSBuild.exe WerFault.exe PID 3048 wrote to memory of 2480 3048 MSBuild.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe"C:\Users\Admin\AppData\Local\Temp\c7b54fdfe758bc9efc5a2f6d97926f20d01f1c85aeb2be3156d56b3a7ea83bac.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3048 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 13723⤵
- Program crash
PID:2480