Analysis
-
max time kernel
125s -
max time network
63s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 07:33
Static task
static1
Behavioral task
behavioral1
Sample
LAM CHUAN.exe
Resource
win7-20231130-en
Behavioral task
behavioral2
Sample
LAM CHUAN.exe
Resource
win10v2004-20231130-en
General
-
Target
LAM CHUAN.exe
-
Size
573KB
-
MD5
b2d39ecdb67012426b8a8b7389a71aa8
-
SHA1
8905ac8f4674b55fd41cd15fbf9965bad5041f8d
-
SHA256
41430a71d6847e8c25206b5101164baa53b098ca1ee9c8d71a33ceb09e672927
-
SHA512
6e77e4529745999175c4ad760d962264846a9947bb5964842d67b4483c9c4a2f0e6ed5d73b6e5df18a8db75cc103e024a361f7821c9c52968be09799d4e1dfe9
-
SSDEEP
12288:TJ3IU8S6eUdwCY/d/8EqXrfLLzsRqzORl3gQgN0LcvxJ0EwFVvoMYRHA:ThItSAdwCYFe0Ri6lQQgN0SxJnwEMuH
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
NX@@OLDdollarDV8FW7 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3872-6-0x0000000004E70000-0x0000000004E88000-memory.dmp family_zgrat_v1 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
LAM CHUAN.exedescription pid process target process PID 3872 set thread context of 2604 3872 LAM CHUAN.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 2604 RegSvcs.exe 2604 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 2604 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
LAM CHUAN.exedescription pid process target process PID 3872 wrote to memory of 2604 3872 LAM CHUAN.exe RegSvcs.exe PID 3872 wrote to memory of 2604 3872 LAM CHUAN.exe RegSvcs.exe PID 3872 wrote to memory of 2604 3872 LAM CHUAN.exe RegSvcs.exe PID 3872 wrote to memory of 2604 3872 LAM CHUAN.exe RegSvcs.exe PID 3872 wrote to memory of 2604 3872 LAM CHUAN.exe RegSvcs.exe PID 3872 wrote to memory of 2604 3872 LAM CHUAN.exe RegSvcs.exe PID 3872 wrote to memory of 2604 3872 LAM CHUAN.exe RegSvcs.exe PID 3872 wrote to memory of 2604 3872 LAM CHUAN.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LAM CHUAN.exe"C:\Users\Admin\AppData\Local\Temp\LAM CHUAN.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2604