Analysis
-
max time kernel
117s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 14:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payment information.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
payment information.exe
-
Size
645KB
-
MD5
724bef127e536884371780b349bc56d5
-
SHA1
dde59ba4c82a9b88801e69a35b9d4e88067b2818
-
SHA256
666d0b9d745d378db9fbab1f99cd64c04756d11abff99c55b9b8806ec9e7056a
-
SHA512
a9f39e520893c6a440439c4540ee839eb16728cb383a1a744c8b4ea71bb19b93b29e42260846641db79b95af9a6ea0b54bc518057f134c220ff635921c413586
-
SSDEEP
12288:az3IU8S6eUd5RW1BERffN1d0wBMXRTX/ZgXWTmmnn/agPScY8yyhVdl6xgPqp:aDItSAdK1BoNSRtIcvZY8LhVdlpP
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
MAIL.starmech.in - Port:
587 - Username:
[email protected] - Password:
gaging@2022 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2448-3-0x0000000000570000-0x0000000000588000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment information.exedescription pid process target process PID 2448 set thread context of 2632 2448 payment information.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
payment information.exeRegSvcs.exepid process 2448 payment information.exe 2448 payment information.exe 2632 RegSvcs.exe 2632 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment information.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2448 payment information.exe Token: SeDebugPrivilege 2632 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
payment information.exedescription pid process target process PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe PID 2448 wrote to memory of 2632 2448 payment information.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment information.exe"C:\Users\Admin\AppData\Local\Temp\payment information.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2448 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632