Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231201-en -
resource tags
arch:x64arch:x86image:win7-20231201-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 01:36
Static task
static1
Behavioral task
behavioral1
Sample
a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe
Resource
win10v2004-20231130-en
General
-
Target
a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe
-
Size
432KB
-
MD5
15d40168b52a1cf5882ab9fc782a79ac
-
SHA1
ef61e46d0fcf5b1fed7a299ae4fedb042d8f9615
-
SHA256
a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737
-
SHA512
3c05836601e8ec8c82b98e572f535881ca55512eb68f4e06f68396d8934f81207f2dc3c0e6db2d21efaffbad14a2aed813d0fff7eded4f6cebe2fec68d9a8873
-
SSDEEP
6144:t8LxB6OIh2rW/DFdDD8UGsexWaens8AJkNrHqHNnNVNDSb4O4II4qJma:JOc2CBd/DYxWap/JkUJxO4v4Yma
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Executes dropped EXE 2 IoCs
Processes:
zyrhjxa.exezyrhjxa.exepid process 2484 zyrhjxa.exe 2864 zyrhjxa.exe -
Loads dropped DLL 2 IoCs
Processes:
a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exezyrhjxa.exepid process 1708 a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe 2484 zyrhjxa.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
zyrhjxa.exedescription pid process target process PID 2484 set thread context of 2864 2484 zyrhjxa.exe zyrhjxa.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
zyrhjxa.exepid process 2864 zyrhjxa.exe 2864 zyrhjxa.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
zyrhjxa.exepid process 2484 zyrhjxa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
zyrhjxa.exedescription pid process Token: SeDebugPrivilege 2864 zyrhjxa.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
zyrhjxa.exepid process 2864 zyrhjxa.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exezyrhjxa.exedescription pid process target process PID 1708 wrote to memory of 2484 1708 a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe zyrhjxa.exe PID 1708 wrote to memory of 2484 1708 a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe zyrhjxa.exe PID 1708 wrote to memory of 2484 1708 a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe zyrhjxa.exe PID 1708 wrote to memory of 2484 1708 a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe zyrhjxa.exe PID 2484 wrote to memory of 2864 2484 zyrhjxa.exe zyrhjxa.exe PID 2484 wrote to memory of 2864 2484 zyrhjxa.exe zyrhjxa.exe PID 2484 wrote to memory of 2864 2484 zyrhjxa.exe zyrhjxa.exe PID 2484 wrote to memory of 2864 2484 zyrhjxa.exe zyrhjxa.exe PID 2484 wrote to memory of 2864 2484 zyrhjxa.exe zyrhjxa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe"C:\Users\Admin\AppData\Local\Temp\a9504ae35036fef71cf35b5b958c948d1c0ef365772ebc960d04e92e8ad96737.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1708 -
C:\Users\Admin\AppData\Local\Temp\zyrhjxa.exe"C:\Users\Admin\AppData\Local\Temp\zyrhjxa.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2484 -
C:\Users\Admin\AppData\Local\Temp\zyrhjxa.exe"C:\Users\Admin\AppData\Local\Temp\zyrhjxa.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2864
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
333KB
MD534814aa0e780d3d5bef594ffb2cee17d
SHA1dbe1e613d0de4674bbf80378afd3710b6b159545
SHA25680f5669ff15457a1384bd3b2f56702e96d36463422bfcb86f35bb718fa44eda4
SHA512f2157c83f868beb7ba1320debdf3ef2144700038883eef2ed4c68a8900ceeb48eb3332ea17e85c4ea943ee55ceda5aed2f9c0f01b5e7c7c0f8d2546bc432aa05
-
Filesize
174KB
MD5cea16b31436e1bc19bca99faae869e35
SHA115b27f85b3dd5567f7825d1aee6d838d3b5f69c5
SHA25621653b060487283e11cba12d6d2a2d417c40e74c02a367a52647a94146636764
SHA512301f07e5ca7949e138212e4f4da0b8c48e7a91f2c8f1619927b259bf31298205eae3127d92e03f80ac5e939c512fb17b3f3b3d3b5b61bacef50f21d6d5f9271f
-
Filesize
174KB
MD5cea16b31436e1bc19bca99faae869e35
SHA115b27f85b3dd5567f7825d1aee6d838d3b5f69c5
SHA25621653b060487283e11cba12d6d2a2d417c40e74c02a367a52647a94146636764
SHA512301f07e5ca7949e138212e4f4da0b8c48e7a91f2c8f1619927b259bf31298205eae3127d92e03f80ac5e939c512fb17b3f3b3d3b5b61bacef50f21d6d5f9271f
-
Filesize
174KB
MD5cea16b31436e1bc19bca99faae869e35
SHA115b27f85b3dd5567f7825d1aee6d838d3b5f69c5
SHA25621653b060487283e11cba12d6d2a2d417c40e74c02a367a52647a94146636764
SHA512301f07e5ca7949e138212e4f4da0b8c48e7a91f2c8f1619927b259bf31298205eae3127d92e03f80ac5e939c512fb17b3f3b3d3b5b61bacef50f21d6d5f9271f
-
Filesize
174KB
MD5cea16b31436e1bc19bca99faae869e35
SHA115b27f85b3dd5567f7825d1aee6d838d3b5f69c5
SHA25621653b060487283e11cba12d6d2a2d417c40e74c02a367a52647a94146636764
SHA512301f07e5ca7949e138212e4f4da0b8c48e7a91f2c8f1619927b259bf31298205eae3127d92e03f80ac5e939c512fb17b3f3b3d3b5b61bacef50f21d6d5f9271f
-
Filesize
174KB
MD5cea16b31436e1bc19bca99faae869e35
SHA115b27f85b3dd5567f7825d1aee6d838d3b5f69c5
SHA25621653b060487283e11cba12d6d2a2d417c40e74c02a367a52647a94146636764
SHA512301f07e5ca7949e138212e4f4da0b8c48e7a91f2c8f1619927b259bf31298205eae3127d92e03f80ac5e939c512fb17b3f3b3d3b5b61bacef50f21d6d5f9271f