Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2023 17:18
Static task
static1
Behavioral task
behavioral1
Sample
qoutation.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
qoutation.exe
Resource
win10v2004-20231130-en
General
-
Target
qoutation.exe
-
Size
741KB
-
MD5
0d950c4060fa70d245c19188008b3979
-
SHA1
fa617cc13128242c7098bcc9a03fe6111fdf6486
-
SHA256
302424b06f54db9c6f269d34c4db7e6a004a09e228e62a6f646ed02d4c05eab4
-
SHA512
3bd2cdc10fca28937d24e07d070664c317b19218f5a68ed3fd663f3ea7aaeb84a92ee915fabd78523c95a4d966069dd2b8765524e859d9647badf84361369e36
-
SSDEEP
12288:9qc3+GCueH5qJmwvUenxMCmJ3AIfS3EtQba6zmJcZ11vz8pyL2xo2bHXk7USye8B:9/uG2qJNvUexFortA6is2US9
Malware Config
Extracted
agenttesla
https://discord.com/api/webhooks/1181175876428234762/vyp2c0TtvZWnT44gDou-o5BXqrA0VFVwF_fjcBmcOk48_6kYSNpVxKQy260BXHtoN7cX
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 35 api.ipify.org 36 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
qoutation.exepid process 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe 1068 qoutation.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
qoutation.exedescription pid process Token: SeDebugPrivilege 1068 qoutation.exe