Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 03:12
Static task
static1
Behavioral task
behavioral1
Sample
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe
Resource
win10v2004-20231130-en
General
-
Target
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe
-
Size
422KB
-
MD5
a4b7d954a47d10725218d26512544394
-
SHA1
4d7a7b92c256927cb93d78896f278e8945ea0665
-
SHA256
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff
-
SHA512
ee7554af28b119016d04e1f3e6eae2296c9406e02835f6506bb255c4f606b3cde1ad655217a13d5d51796502047ec590179bb2a45db0433ffce437653a8ae977
-
SSDEEP
6144:Rxu7VAd87ZC/xmqXAtz9TqawD0vcOCbjcqmBuXUmiedMKhB2j9YDxTgCrC:Rxu7lZ4xmqg9TJtTCbjpmBR3MMluxTg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
webs20.futuresouls.com - Port:
587 - Username:
[email protected] - Password:
{dH9Kfx_zsj; - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 1 IoCs
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Umhyosdzqov.vbs e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 5 api.ipify.org 4 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2884 ipconfig.exe 2708 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exepid process 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exedescription pid process Token: SeDebugPrivilege 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exepid process 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.execmd.execmd.exedescription pid process target process PID 2080 wrote to memory of 2680 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 2080 wrote to memory of 2680 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 2080 wrote to memory of 2680 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 2080 wrote to memory of 2680 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 2680 wrote to memory of 2884 2680 cmd.exe ipconfig.exe PID 2680 wrote to memory of 2884 2680 cmd.exe ipconfig.exe PID 2680 wrote to memory of 2884 2680 cmd.exe ipconfig.exe PID 2680 wrote to memory of 2884 2680 cmd.exe ipconfig.exe PID 2080 wrote to memory of 2992 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 2080 wrote to memory of 2992 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 2080 wrote to memory of 2992 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 2080 wrote to memory of 2992 2080 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 2992 wrote to memory of 2708 2992 cmd.exe ipconfig.exe PID 2992 wrote to memory of 2708 2992 cmd.exe ipconfig.exe PID 2992 wrote to memory of 2708 2992 cmd.exe ipconfig.exe PID 2992 wrote to memory of 2708 2992 cmd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe"C:\Users\Admin\AppData\Local\Temp\e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe"1⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:2884 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:2992 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:2708