Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231130-en -
resource tags
arch:x64arch:x86image:win7-20231130-enlocale:en-usos:windows7-x64system -
submitted
06-12-2023 07:09
Static task
static1
Behavioral task
behavioral1
Sample
Balance Confirmation_pdf.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
Balance Confirmation_pdf.exe
Resource
win10v2004-20231127-en
General
-
Target
Balance Confirmation_pdf.exe
-
Size
343KB
-
MD5
175320e35a91aa8415e3b08ea6e5bdc6
-
SHA1
1639248526ceef472194ba43252741cfb1e4698f
-
SHA256
5fe3691051b15363c0cb99225680eadf139d815a078bb8e35d6acdfa59992104
-
SHA512
fce970be9c4ec7779e153ff9a1803d8b673e5ba6440999c74e7e4a562e37ef69e40a4a751c300c0dcfaac4ea11d29edb6ef2d4d527d17c005c152fdd3bb7a03a
-
SSDEEP
6144:M+NN8s91BMtFaG81g5qJRn4xxL2l6IKH+uFP4VYQXXepDzMYgA5YuvsuFie:fL1BoFaG81S0Rn4xtB9Q2QXMMcZvwe
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://mydevelopmentstory.com - Port:
21 - Username:
[email protected] - Password:
ENugu@042EN
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Balance Confirmation_pdf.exedescription pid process target process PID 1728 set thread context of 2960 1728 Balance Confirmation_pdf.exe Balance Confirmation_pdf.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Balance Confirmation_pdf.exepid process 2960 Balance Confirmation_pdf.exe 2960 Balance Confirmation_pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Balance Confirmation_pdf.exedescription pid process Token: SeDebugPrivilege 2960 Balance Confirmation_pdf.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Balance Confirmation_pdf.exedescription pid process target process PID 1728 wrote to memory of 2960 1728 Balance Confirmation_pdf.exe Balance Confirmation_pdf.exe PID 1728 wrote to memory of 2960 1728 Balance Confirmation_pdf.exe Balance Confirmation_pdf.exe PID 1728 wrote to memory of 2960 1728 Balance Confirmation_pdf.exe Balance Confirmation_pdf.exe PID 1728 wrote to memory of 2960 1728 Balance Confirmation_pdf.exe Balance Confirmation_pdf.exe PID 1728 wrote to memory of 2960 1728 Balance Confirmation_pdf.exe Balance Confirmation_pdf.exe PID 1728 wrote to memory of 2960 1728 Balance Confirmation_pdf.exe Balance Confirmation_pdf.exe PID 1728 wrote to memory of 2960 1728 Balance Confirmation_pdf.exe Balance Confirmation_pdf.exe PID 1728 wrote to memory of 2960 1728 Balance Confirmation_pdf.exe Balance Confirmation_pdf.exe PID 1728 wrote to memory of 2960 1728 Balance Confirmation_pdf.exe Balance Confirmation_pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Balance Confirmation_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Balance Confirmation_pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\Balance Confirmation_pdf.exe"C:\Users\Admin\AppData\Local\Temp\Balance Confirmation_pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960