Analysis
-
max time kernel
139s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2023 16:40
Static task
static1
Behavioral task
behavioral1
Sample
afro76tyg.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
afro76tyg.exe
Resource
win10v2004-20231127-en
General
-
Target
afro76tyg.exe
-
Size
334KB
-
MD5
20ca3c6b39bae2b654b976d0577405d8
-
SHA1
6eff448ec998ed4499f312b4ab93801a6707267a
-
SHA256
897f63b1e9aa84952f2412533fece39161f4fb4ee3077ee5d430ffc13a4383c7
-
SHA512
04a5f89053555e2a4fe86fa109fa5cebe42103acb4bc1d683b88c4a6095b4bcd6a18d492a019200991cf2affb74485330c0ae6a72ba6041254c512effe978b16
-
SSDEEP
6144:hEkP48HVp1FKYWxDPzLyNMVDAcdfPg93Sw9Z7zLtX6s5kO+Bm9clq61:hEZ8HVpPKFSNI84493SWbXH5kSilq
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6669461375:AAGwrSGDuGS4lzGe3ziI4ubZc9TzQ8r1m8o/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4408 set thread context of 2188 4408 afro76tyg.exe 91 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2188 afro76tyg.exe 2188 afro76tyg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2188 afro76tyg.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4408 wrote to memory of 2188 4408 afro76tyg.exe 91 PID 4408 wrote to memory of 2188 4408 afro76tyg.exe 91 PID 4408 wrote to memory of 2188 4408 afro76tyg.exe 91 PID 4408 wrote to memory of 2188 4408 afro76tyg.exe 91 PID 4408 wrote to memory of 2188 4408 afro76tyg.exe 91 PID 4408 wrote to memory of 2188 4408 afro76tyg.exe 91 PID 4408 wrote to memory of 2188 4408 afro76tyg.exe 91 PID 4408 wrote to memory of 2188 4408 afro76tyg.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\afro76tyg.exe"C:\Users\Admin\AppData\Local\Temp\afro76tyg.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4408 -
C:\Users\Admin\AppData\Local\Temp\afro76tyg.exe"C:\Users\Admin\AppData\Local\Temp\afro76tyg.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2188
-