Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231025-en -
resource tags
arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 11:47
Static task
static1
Behavioral task
behavioral1
Sample
Order - 07876575.exe
Resource
win7-20231025-en
Behavioral task
behavioral2
Sample
Order - 07876575.exe
Resource
win10v2004-20231130-en
General
-
Target
Order - 07876575.exe
-
Size
696KB
-
MD5
3c7a5fd2797f25dde0e89456cc02bc36
-
SHA1
6e5e7b59c6433edaa3de647101d3832c1e8195c8
-
SHA256
9cca6b74cfa89d8505f53fe46291c89ec13c4c43e87192a0d1ed58cdbf54f4e5
-
SHA512
3f35d016fa6841e6227867e29a2168836f1b8d1d28164fb738220d88e6af5ed1a2caa1cce738b429a5e14f7e19b93b8429076746a538f1c9e2536c5de1506095
-
SSDEEP
12288:DgxxXwWvMXikxdMfL7wMnDJvQskQigfRsnC5gv/KeCCCofZZZ1ZliEXjdl47/1WN:iEdavwMnlQHPgIC5gv/KeCCCofZZZ1ZY
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.bezzleauto.com - Port:
587 - Username:
[email protected] - Password:
Tommyduru8118 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral1/memory/2056-2-0x0000000000B90000-0x0000000000C3A000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-3-0x0000000004CB0000-0x0000000004CF0000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-4-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-5-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-7-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-9-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-11-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-13-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-15-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-17-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-19-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-21-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-23-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-25-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-27-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-29-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-31-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-33-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-37-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-39-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-41-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-35-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-47-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-55-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-53-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-51-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-49-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-57-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-63-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-67-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-65-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-61-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-59-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-45-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 behavioral1/memory/2056-43-0x0000000000B90000-0x0000000000C33000-memory.dmp family_zgrat_v1 -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Order - 07876575.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1861898231-3446828954-4278112889-1000\Software\Microsoft\Windows\CurrentVersion\Run\xml = "C:\\Users\\Admin\\AppData\\Roaming\\xml.exe" Order - 07876575.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order - 07876575.exedescription pid process target process PID 2056 set thread context of 1696 2056 Order - 07876575.exe Order - 07876575.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 2428 ipconfig.exe 1388 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Order - 07876575.exepid process 1696 Order - 07876575.exe 1696 Order - 07876575.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order - 07876575.exeOrder - 07876575.exedescription pid process Token: SeDebugPrivilege 2056 Order - 07876575.exe Token: SeDebugPrivilege 1696 Order - 07876575.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
Order - 07876575.execmd.execmd.exedescription pid process target process PID 2056 wrote to memory of 3036 2056 Order - 07876575.exe cmd.exe PID 2056 wrote to memory of 3036 2056 Order - 07876575.exe cmd.exe PID 2056 wrote to memory of 3036 2056 Order - 07876575.exe cmd.exe PID 2056 wrote to memory of 3036 2056 Order - 07876575.exe cmd.exe PID 3036 wrote to memory of 2428 3036 cmd.exe ipconfig.exe PID 3036 wrote to memory of 2428 3036 cmd.exe ipconfig.exe PID 3036 wrote to memory of 2428 3036 cmd.exe ipconfig.exe PID 3036 wrote to memory of 2428 3036 cmd.exe ipconfig.exe PID 2056 wrote to memory of 1044 2056 Order - 07876575.exe cmd.exe PID 2056 wrote to memory of 1044 2056 Order - 07876575.exe cmd.exe PID 2056 wrote to memory of 1044 2056 Order - 07876575.exe cmd.exe PID 2056 wrote to memory of 1044 2056 Order - 07876575.exe cmd.exe PID 1044 wrote to memory of 1388 1044 cmd.exe ipconfig.exe PID 1044 wrote to memory of 1388 1044 cmd.exe ipconfig.exe PID 1044 wrote to memory of 1388 1044 cmd.exe ipconfig.exe PID 1044 wrote to memory of 1388 1044 cmd.exe ipconfig.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe PID 2056 wrote to memory of 1696 2056 Order - 07876575.exe Order - 07876575.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order - 07876575.exe"C:\Users\Admin\AppData\Local\Temp\Order - 07876575.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:2428 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:1044 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:1388 -
C:\Users\Admin\AppData\Local\Temp\Order - 07876575.exe"C:\Users\Admin\AppData\Local\Temp\Order - 07876575.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1696