Analysis
-
max time kernel
125s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 03:12
Static task
static1
Behavioral task
behavioral1
Sample
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe
Resource
win10v2004-20231130-en
General
-
Target
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe
-
Size
422KB
-
MD5
a4b7d954a47d10725218d26512544394
-
SHA1
4d7a7b92c256927cb93d78896f278e8945ea0665
-
SHA256
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff
-
SHA512
ee7554af28b119016d04e1f3e6eae2296c9406e02835f6506bb255c4f606b3cde1ad655217a13d5d51796502047ec590179bb2a45db0433ffce437653a8ae977
-
SSDEEP
6144:Rxu7VAd87ZC/xmqXAtz9TqawD0vcOCbjcqmBuXUmiedMKhB2j9YDxTgCrC:Rxu7lZ4xmqg9TJtTCbjpmBR3MMluxTg
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
webs20.futuresouls.com - Port:
587 - Username:
[email protected] - Password:
{dH9Kfx_zsj; - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Control Panel\International\Geo\Nation e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe -
Drops startup file 1 IoCs
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Umhyosdzqov.vbs e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 4112 ipconfig.exe 4856 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exepid process 1824 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe 1824 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exedescription pid process Token: SeDebugPrivilege 1824 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exepid process 1824 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.execmd.execmd.exedescription pid process target process PID 1824 wrote to memory of 4628 1824 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 1824 wrote to memory of 4628 1824 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 1824 wrote to memory of 4628 1824 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 4628 wrote to memory of 4112 4628 cmd.exe ipconfig.exe PID 4628 wrote to memory of 4112 4628 cmd.exe ipconfig.exe PID 4628 wrote to memory of 4112 4628 cmd.exe ipconfig.exe PID 1824 wrote to memory of 1032 1824 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 1824 wrote to memory of 1032 1824 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 1824 wrote to memory of 1032 1824 e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe cmd.exe PID 1032 wrote to memory of 4856 1032 cmd.exe ipconfig.exe PID 1032 wrote to memory of 4856 1032 cmd.exe ipconfig.exe PID 1032 wrote to memory of 4856 1032 cmd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe"C:\Users\Admin\AppData\Local\Temp\e7f46dc7145e87eb0674a7b2b7b980a886defb6e8ad7a2caff796a3787a01dff.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:4628 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:4112 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:4856