Analysis
-
max time kernel
120s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
08-12-2023 02:13
Static task
static1
Behavioral task
behavioral1
Sample
c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe
Resource
win10v2004-20231127-en
General
-
Target
c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe
-
Size
431KB
-
MD5
9c288c5fc24b5181810f8b3466dd7365
-
SHA1
80ced01c1a68080303efd61228d90090a693ec75
-
SHA256
c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b
-
SHA512
a6e38328d32ef1d9b2c2d5ee292194e334f3625ffff8fc2593035a6bcf70ac4da109528795248f9f403157200d7c28b10b80de2b1679230c9d8113868059bff7
-
SSDEEP
12288:UhsklAKxbWfxyJUa28FIQcqD8ZsZbKFn56s3Z:UhVAKpWpyUT8F3cy8ebWosp
Malware Config
Extracted
Protocol: smtp- Host:
server1.sqsendy.shop - Port:
587 - Username:
[email protected] - Password:
{f];qthoiBBW
Extracted
agenttesla
Protocol: smtp- Host:
server1.sqsendy.shop - Port:
587 - Username:
[email protected] - Password:
{f];qthoiBBW - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2085049433-1067986815-1244098655-1000\Software\Microsoft\Windows\CurrentVersion\Run\rwi = "C:\\Users\\Admin\\AppData\\Roaming\\rwi.exe" c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 6 ip-api.com 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1788 set thread context of 2400 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 30 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2400 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 2400 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe Token: SeDebugPrivilege 2400 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1788 wrote to memory of 2400 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 30 PID 1788 wrote to memory of 2400 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 30 PID 1788 wrote to memory of 2400 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 30 PID 1788 wrote to memory of 2400 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 30 PID 1788 wrote to memory of 2400 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 30 PID 1788 wrote to memory of 2400 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 30 PID 1788 wrote to memory of 2400 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 30 PID 1788 wrote to memory of 2400 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 30 PID 1788 wrote to memory of 2400 1788 c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe"C:\Users\Admin\AppData\Local\Temp\c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788 -
C:\Users\Admin\AppData\Local\Temp\c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exeC:\Users\Admin\AppData\Local\Temp\c56269fd74de127be075c010e45313d6461ea9d2d646ebdf13391f1c6409092b.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06