Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 07:28
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.PWSX-gen.21667.exe
Resource
win7-20231023-en
General
-
Target
SecuriteInfo.com.Win32.PWSX-gen.21667.exe
-
Size
653KB
-
MD5
437067bc7190a7931c53e3e2f0e8185a
-
SHA1
bf17143f35531655ab0af5c4c7625f58d611f50f
-
SHA256
cd10c10c18af02c84db0cfc309c6357897bb6b07f987ba38a3eb83781ca63f24
-
SHA512
258d333d03f397449a9c3fcfdcc750c561fb2e95522ebdfeca4cd320bb924be604224b64cc780b8d1cbf7f53fb694499758220038883ca0f6984f6f58bf5ab55
-
SSDEEP
12288:o13IU8S6eUdJKiISKICXAVoRy4EANanNZ84iiCn6XkPf+oXemxFUMoLO9nTovCwg:odItSAdJKiIB/AeQ4zanNZ8PTVHLL0wh
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6833930321:AAHwDIEAPHebsHtw__k-gJGBZ92DAJlw8_s/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2044-3-0x0000000000210000-0x0000000000228000-memory.dmp family_zgrat_v1 -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.21667.exedescription pid process target process PID 2044 set thread context of 2752 2044 SecuriteInfo.com.Win32.PWSX-gen.21667.exe SecuriteInfo.com.Win32.PWSX-gen.21667.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.21667.exepid process 2752 SecuriteInfo.com.Win32.PWSX-gen.21667.exe 2752 SecuriteInfo.com.Win32.PWSX-gen.21667.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.21667.exedescription pid process Token: SeDebugPrivilege 2752 SecuriteInfo.com.Win32.PWSX-gen.21667.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SecuriteInfo.com.Win32.PWSX-gen.21667.exedescription pid process target process PID 2044 wrote to memory of 2752 2044 SecuriteInfo.com.Win32.PWSX-gen.21667.exe SecuriteInfo.com.Win32.PWSX-gen.21667.exe PID 2044 wrote to memory of 2752 2044 SecuriteInfo.com.Win32.PWSX-gen.21667.exe SecuriteInfo.com.Win32.PWSX-gen.21667.exe PID 2044 wrote to memory of 2752 2044 SecuriteInfo.com.Win32.PWSX-gen.21667.exe SecuriteInfo.com.Win32.PWSX-gen.21667.exe PID 2044 wrote to memory of 2752 2044 SecuriteInfo.com.Win32.PWSX-gen.21667.exe SecuriteInfo.com.Win32.PWSX-gen.21667.exe PID 2044 wrote to memory of 2752 2044 SecuriteInfo.com.Win32.PWSX-gen.21667.exe SecuriteInfo.com.Win32.PWSX-gen.21667.exe PID 2044 wrote to memory of 2752 2044 SecuriteInfo.com.Win32.PWSX-gen.21667.exe SecuriteInfo.com.Win32.PWSX-gen.21667.exe PID 2044 wrote to memory of 2752 2044 SecuriteInfo.com.Win32.PWSX-gen.21667.exe SecuriteInfo.com.Win32.PWSX-gen.21667.exe PID 2044 wrote to memory of 2752 2044 SecuriteInfo.com.Win32.PWSX-gen.21667.exe SecuriteInfo.com.Win32.PWSX-gen.21667.exe PID 2044 wrote to memory of 2752 2044 SecuriteInfo.com.Win32.PWSX-gen.21667.exe SecuriteInfo.com.Win32.PWSX-gen.21667.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21667.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21667.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044 -
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21667.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21667.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2752