Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 01:43
Behavioral task
behavioral1
Sample
92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exe
Resource
win10v2004-20231201-en
General
-
Target
92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exe
-
Size
241KB
-
MD5
9111da3c55c55be6573f7c2d7643e479
-
SHA1
97d05eb0b61853193850f6e51d005679eaef76c9
-
SHA256
92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6
-
SHA512
34eda43f7105931bd1bbfd52de4fb820c2bf448e22d64f19461b450a7942c2dbd17e1c898013158d7a6ba1306cf8e5cf32ab7445050340ebcc213714bea04484
-
SSDEEP
3072:cys8888xZsHK02U3mO1FwpzT2/O5jISGfyTJG:Rs8888xZsqg351FwpzTEZSG
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://valvulasthermovalve.cl - Port:
21 - Username:
[email protected] - Password:
LILKOOLL14!!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2084844033-2744876406-2053742436-1000\Software\Microsoft\Windows\CurrentVersion\Run\yccfDcq = "C:\\Users\\Admin\\AppData\\Roaming\\yccfDcq\\yccfDcq.exe" 92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exepid process 1636 92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exe 1636 92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exedescription pid process Token: SeDebugPrivilege 1636 92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exe"C:\Users\Admin\AppData\Local\Temp\92d9e62f0f973b481ba6eedcdbcfb11c3e15761b2713919aa98e8a99b00f60f6.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636