Analysis
-
max time kernel
120s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20231020-en -
resource tags
arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 14:39
Static task
static1
Behavioral task
behavioral1
Sample
bWfV00eDJC2VLNt.exe
Resource
win7-20231020-en
General
-
Target
bWfV00eDJC2VLNt.exe
-
Size
620KB
-
MD5
7e9fd51231a5b40b2fac974b98ddbeab
-
SHA1
4567771d463f7827a779e13beadafb2be98dd39d
-
SHA256
a0a6aecabb4be0f50081fa24e2b6efe4807522ffbdd0a09e56a4ace6fa35b3a6
-
SHA512
5ee035e8c23cf68805df64f475dda06206ca3c38a0e95a40dc2798f2c3a06f5f44a6327efab55f4405a32bb87523d36b893cdf1b9d1ab68027775ffd352151c4
-
SSDEEP
12288:e93IU8S6eUdfkA7jOZxHBVj4iNjhnIF7seHANhraR8uiLNJk1XaBKQ:elItSAdfN8ISXNxA8uMNJktaBj
Malware Config
Extracted
Protocol: smtp- Host:
mail.helikhodro.com - Port:
587 - Username:
[email protected] - Password:
@Ii9121070423
Extracted
agenttesla
Protocol: smtp- Host:
mail.helikhodro.com - Port:
587 - Username:
[email protected] - Password:
@Ii9121070423 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1164-3-0x00000000008D0000-0x00000000008E8000-memory.dmp family_zgrat_v1 -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bWfV00eDJC2VLNt.exedescription pid process target process PID 1164 set thread context of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
bWfV00eDJC2VLNt.exeRegSvcs.exepid process 1164 bWfV00eDJC2VLNt.exe 1164 bWfV00eDJC2VLNt.exe 1164 bWfV00eDJC2VLNt.exe 2748 RegSvcs.exe 2748 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
bWfV00eDJC2VLNt.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1164 bWfV00eDJC2VLNt.exe Token: SeDebugPrivilege 2748 RegSvcs.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
bWfV00eDJC2VLNt.exedescription pid process target process PID 1164 wrote to memory of 2160 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2160 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2160 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2160 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2160 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2160 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2160 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe PID 1164 wrote to memory of 2748 1164 bWfV00eDJC2VLNt.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bWfV00eDJC2VLNt.exe"C:\Users\Admin\AppData\Local\Temp\bWfV00eDJC2VLNt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:2160
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50a3ec621c5b5c163387e7584d208e5a8
SHA154ab9924285dc0a986b926a5ec3171ea6281e86c
SHA25625b1839fbe5184020801f0d582700484271df43a0d4cb0be284ea881d00cc378
SHA51257dcaa7b4c4dd6b924200aebb3eaac071b13ed401857d436f3578431fe42928d96dbb02e6f7ad1bf7e1462f0f163d46f5fd67cf00face985c5ff3a92628456b7
-
Filesize
61KB
MD5f3441b8572aae8801c04f3060b550443
SHA14ef0a35436125d6821831ef36c28ffaf196cda15
SHA2566720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf
SHA5125ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06