Analysis
-
max time kernel
125s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 14:02
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payment information.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
payment information.exe
-
Size
645KB
-
MD5
724bef127e536884371780b349bc56d5
-
SHA1
dde59ba4c82a9b88801e69a35b9d4e88067b2818
-
SHA256
666d0b9d745d378db9fbab1f99cd64c04756d11abff99c55b9b8806ec9e7056a
-
SHA512
a9f39e520893c6a440439c4540ee839eb16728cb383a1a744c8b4ea71bb19b93b29e42260846641db79b95af9a6ea0b54bc518057f134c220ff635921c413586
-
SSDEEP
12288:az3IU8S6eUd5RW1BERffN1d0wBMXRTX/ZgXWTmmnn/agPScY8yyhVdl6xgPqp:aDItSAdK1BoNSRtIcvZY8LhVdlpP
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
MAIL.starmech.in - Port:
587 - Username:
[email protected] - Password:
gaging@2022 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4800-6-0x0000000005510000-0x0000000005528000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment information.exedescription pid process target process PID 4800 set thread context of 4240 4800 payment information.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4544 4240 WerFault.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
payment information.exeRegSvcs.exepid process 4800 payment information.exe 4800 payment information.exe 4240 RegSvcs.exe 4240 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment information.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4800 payment information.exe Token: SeDebugPrivilege 4240 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
payment information.exedescription pid process target process PID 4800 wrote to memory of 4240 4800 payment information.exe RegSvcs.exe PID 4800 wrote to memory of 4240 4800 payment information.exe RegSvcs.exe PID 4800 wrote to memory of 4240 4800 payment information.exe RegSvcs.exe PID 4800 wrote to memory of 4240 4800 payment information.exe RegSvcs.exe PID 4800 wrote to memory of 4240 4800 payment information.exe RegSvcs.exe PID 4800 wrote to memory of 4240 4800 payment information.exe RegSvcs.exe PID 4800 wrote to memory of 4240 4800 payment information.exe RegSvcs.exe PID 4800 wrote to memory of 4240 4800 payment information.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment information.exe"C:\Users\Admin\AppData\Local\Temp\payment information.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4800 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4240 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 13523⤵
- Program crash
PID:4544
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4240 -ip 42401⤵PID:3388