Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 14:01
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payment information.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
General
-
Target
payment information.exe
-
Size
645KB
-
MD5
724bef127e536884371780b349bc56d5
-
SHA1
dde59ba4c82a9b88801e69a35b9d4e88067b2818
-
SHA256
666d0b9d745d378db9fbab1f99cd64c04756d11abff99c55b9b8806ec9e7056a
-
SHA512
a9f39e520893c6a440439c4540ee839eb16728cb383a1a744c8b4ea71bb19b93b29e42260846641db79b95af9a6ea0b54bc518057f134c220ff635921c413586
-
SSDEEP
12288:az3IU8S6eUd5RW1BERffN1d0wBMXRTX/ZgXWTmmnn/agPScY8yyhVdl6xgPqp:aDItSAdK1BoNSRtIcvZY8LhVdlpP
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
MAIL.starmech.in - Port:
587 - Username:
[email protected] - Password:
gaging@2022 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1428-6-0x0000000005270000-0x0000000005288000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment information.exedescription pid process target process PID 1428 set thread context of 4604 1428 payment information.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 952 4604 WerFault.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
payment information.exeRegSvcs.exepid process 1428 payment information.exe 1428 payment information.exe 4604 RegSvcs.exe 4604 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment information.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1428 payment information.exe Token: SeDebugPrivilege 4604 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
payment information.exedescription pid process target process PID 1428 wrote to memory of 4604 1428 payment information.exe RegSvcs.exe PID 1428 wrote to memory of 4604 1428 payment information.exe RegSvcs.exe PID 1428 wrote to memory of 4604 1428 payment information.exe RegSvcs.exe PID 1428 wrote to memory of 4604 1428 payment information.exe RegSvcs.exe PID 1428 wrote to memory of 4604 1428 payment information.exe RegSvcs.exe PID 1428 wrote to memory of 4604 1428 payment information.exe RegSvcs.exe PID 1428 wrote to memory of 4604 1428 payment information.exe RegSvcs.exe PID 1428 wrote to memory of 4604 1428 payment information.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment information.exe"C:\Users\Admin\AppData\Local\Temp\payment information.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4604 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4604 -s 13763⤵
- Program crash
PID:952
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4604 -ip 46041⤵PID:1956