Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07-12-2023 01:10
Static task
static1
Behavioral task
behavioral1
Sample
7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe
Resource
win10v2004-20231130-en
General
-
Target
7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe
-
Size
848KB
-
MD5
0d3f3677ea8d45a57d725d61c71c172b
-
SHA1
be4ca1e7e6a23784efce031f83c0232141cd0718
-
SHA256
7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c
-
SHA512
6b4fd4ac87b2d64881986dacf956a1aa3ec8e7cb351cc58d512e5b48c61a1ee5b2e69b264e4b8ec549211f5a29b35eb883e3e2cf79decd89467a07c069f36226
-
SSDEEP
12288:MaqvKgABiOX57dhpovj+6xuXvQDX7xRRVHZUvKeUtfysEa7ueH5qTIx:2OX5ZhSrXiQDFRRoZU5dEapq2
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6488735902:AAFjq98r8SzTcc0BHWZQiLUk749fQ78ULos/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exedescription pid process target process PID 2984 set thread context of 2492 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
Processes:
7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exepid process 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2492 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 2492 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exedescription pid process Token: SeDebugPrivilege 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe Token: SeDebugPrivilege 2492 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exepid process 2492 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exedescription pid process target process PID 2984 wrote to memory of 2492 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe PID 2984 wrote to memory of 2492 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe PID 2984 wrote to memory of 2492 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe PID 2984 wrote to memory of 2492 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe PID 2984 wrote to memory of 2492 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe PID 2984 wrote to memory of 2492 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe PID 2984 wrote to memory of 2492 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe PID 2984 wrote to memory of 2492 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe PID 2984 wrote to memory of 2492 2984 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe 7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe"C:\Users\Admin\AppData\Local\Temp\7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2984 -
C:\Users\Admin\AppData\Local\Temp\7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe"C:\Users\Admin\AppData\Local\Temp\7c57d141f4c57d4ab30efd69206dc0a236ed915b2dbc437a9305b860e66e8a3c.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2492