Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
07-12-2023 02:31
Static task
static1
Behavioral task
behavioral1
Sample
Documents as requested.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
Documents as requested.exe
Resource
win10v2004-20231127-en
General
-
Target
Documents as requested.exe
-
Size
520KB
-
MD5
7eae5a91d3e871ea0c920f486e1343b4
-
SHA1
74d80650070db49cb7da707666213c4d250e4190
-
SHA256
865cf5013a56a0576a1e837aae17f8ed232c6d43e21f91cecd31d21679f562be
-
SHA512
8bd825dca93e2cc74264ba964c5ffcf11f6553dd34a8c5cf7fb92077ead4f40842616bd9d099320a5816ee79cd0cbfda509b2aac57475d61a763945a57e0570b
-
SSDEEP
12288:O0KVGTm0Ho8ayWTYXtqH1JF3xYJA555dj9v/3YEn1:/TpIPyBXq1/31555d5vdn1
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://files.000webhost.com - Port:
21 - Username:
tain00 - Password:
computer@2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Documents as requested.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3425689832-2386927309-2650718742-1000\Software\Microsoft\Windows\CurrentVersion\Run\Tlodwyhh = "C:\\Users\\Admin\\AppData\\Roaming\\Tlodwyhh.exe" Documents as requested.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Documents as requested.exedescription pid process target process PID 2164 set thread context of 2812 2164 Documents as requested.exe Documents as requested.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Documents as requested.exepid process 2812 Documents as requested.exe 2812 Documents as requested.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Documents as requested.exeDocuments as requested.exedescription pid process Token: SeDebugPrivilege 2164 Documents as requested.exe Token: SeDebugPrivilege 2812 Documents as requested.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Documents as requested.exedescription pid process target process PID 2164 wrote to memory of 2812 2164 Documents as requested.exe Documents as requested.exe PID 2164 wrote to memory of 2812 2164 Documents as requested.exe Documents as requested.exe PID 2164 wrote to memory of 2812 2164 Documents as requested.exe Documents as requested.exe PID 2164 wrote to memory of 2812 2164 Documents as requested.exe Documents as requested.exe PID 2164 wrote to memory of 2812 2164 Documents as requested.exe Documents as requested.exe PID 2164 wrote to memory of 2812 2164 Documents as requested.exe Documents as requested.exe PID 2164 wrote to memory of 2812 2164 Documents as requested.exe Documents as requested.exe PID 2164 wrote to memory of 2812 2164 Documents as requested.exe Documents as requested.exe PID 2164 wrote to memory of 2812 2164 Documents as requested.exe Documents as requested.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Documents as requested.exe"C:\Users\Admin\AppData\Local\Temp\Documents as requested.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2164 -
C:\Users\Admin\AppData\Local\Temp\Documents as requested.exe"C:\Users\Admin\AppData\Local\Temp\Documents as requested.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2812