Analysis
-
max time kernel
131s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2023 13:24
Behavioral task
behavioral1
Sample
133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exe
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exe
Resource
win10v2004-20231127-en
General
-
Target
133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exe
-
Size
237KB
-
MD5
103ea4b28710ffe97ec72422b707e71d
-
SHA1
438ad17788c6c155b9bacd5649f43c09c4cdb77b
-
SHA256
133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4
-
SHA512
74d76d01f8ad9459b5bcd59bdacd139f196f2a6b20997a90d40fbb363338a6e9086ac3664480655b721b674de07b76465087a7cd7ef76bef3744795ff125dd2f
-
SSDEEP
3072:2OAA0QcQHKhaKdH76VaDfbQUz2pAft5vETH7aB:XAA0QcQHKhaKdb0aDf8Uz2pAf0Tba
Malware Config
Extracted
Protocol: smtp- Host:
mail.rolexlogisticsservice.com - Port:
587 - Username:
[email protected] - Password:
0.p-TydLJ-3Z
Extracted
agenttesla
Protocol: smtp- Host:
mail.rolexlogisticsservice.com - Port:
587 - Username:
[email protected] - Password:
0.p-TydLJ-3Z - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 37 api.ipify.org 40 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exepid process 3104 133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exe 3104 133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exedescription pid process Token: SeDebugPrivilege 3104 133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exepid process 3104 133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exe"C:\Users\Admin\AppData\Local\Temp\133ecf75de9fdeed268dc746afc7ec1ae2f128e208c41d7b37b51bf76843ffb4.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3104