Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
09-12-2023 03:26
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231023-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231130-en
General
-
Target
tmp.exe
-
Size
898KB
-
MD5
7d0f12a4f6f4b516672c222b75d3b4a4
-
SHA1
24d49f1738f848d1b04d75e9e5779c6e51209fb1
-
SHA256
123159059996fe70e697717341356dc29963680e2733f7549e964a6679a88fbb
-
SHA512
ba2059445113dc4a64fb8dfab8a7c35f82ad2a27e99cc2f53991fc84dfc15561aa736e6cd0468088693d90e9431f7bfd37bdc44e8ad2012bfd8609e3505b33e0
-
SSDEEP
12288:so54MzcXkjOLIGeWukW4V1VlmT972PM+QCgVtoF:Whtet4V1LmcETPC
Malware Config
Extracted
Protocol: ftp- Host:
ftp.siscop.com.co - Port:
21 - Username:
[email protected] - Password:
+5s48Ia2&-(t
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.siscop.com.co - Port:
21 - Username:
[email protected] - Password:
+5s48Ia2&-(t
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 203 ip-api.com -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe 4076 tmp.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4076 tmp.exe Token: SeManageVolumePrivilege 856 svchost.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4076
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:952
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:856