Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20231023-en -
resource tags
arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 14:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payment information.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
payment information.exe
-
Size
662KB
-
MD5
601faa896b9ddbf2e26564f88e5f2280
-
SHA1
fc542a95d91dcd6c7ec461e1796b49167bf3a8f9
-
SHA256
f24a13886b4f210691bf73566963618b370ca0781cf65cb212cafb13e12060ff
-
SHA512
7bcf72a99a6c4f2044c09866211bf489dea9a3c628f63db3eddea23b08516fbf7434c852daa1d22e8fd4e0bfcd621dfe1991285f91477780bcb6ddabcb48324c
-
SSDEEP
12288:njobG+4WpAEvyQvEsTLEzOC0lamfm1cjZxdDWDCzklbpe+f2+:spAEosfE8amfm2jZxdDQDHe
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
MAIL.starmech.in - Port:
587 - Username:
[email protected] - Password:
gaging@2022 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2420-3-0x0000000000650000-0x0000000000668000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment information.exedescription pid process target process PID 2420 set thread context of 2924 2420 payment information.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
payment information.exeRegSvcs.exepid process 2420 payment information.exe 2420 payment information.exe 2924 RegSvcs.exe 2924 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment information.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2420 payment information.exe Token: SeDebugPrivilege 2924 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
payment information.exedescription pid process target process PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe PID 2420 wrote to memory of 2924 2420 payment information.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment information.exe"C:\Users\Admin\AppData\Local\Temp\payment information.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2924