Analysis
-
max time kernel
67s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 14:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payment information.exe
Resource
win7-20231023-en
windows7-x64
7 signatures
150 seconds
General
-
Target
payment information.exe
-
Size
662KB
-
MD5
601faa896b9ddbf2e26564f88e5f2280
-
SHA1
fc542a95d91dcd6c7ec461e1796b49167bf3a8f9
-
SHA256
f24a13886b4f210691bf73566963618b370ca0781cf65cb212cafb13e12060ff
-
SHA512
7bcf72a99a6c4f2044c09866211bf489dea9a3c628f63db3eddea23b08516fbf7434c852daa1d22e8fd4e0bfcd621dfe1991285f91477780bcb6ddabcb48324c
-
SSDEEP
12288:njobG+4WpAEvyQvEsTLEzOC0lamfm1cjZxdDWDCzklbpe+f2+:spAEosfE8amfm2jZxdDQDHe
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
MAIL.starmech.in - Port:
587 - Username:
[email protected] - Password:
gaging@2022 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4840-6-0x00000000064B0000-0x00000000064C8000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment information.exedescription pid process target process PID 4840 set thread context of 460 4840 payment information.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3404 460 WerFault.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
payment information.exeRegSvcs.exepid process 4840 payment information.exe 4840 payment information.exe 4840 payment information.exe 4840 payment information.exe 460 RegSvcs.exe 460 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment information.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4840 payment information.exe Token: SeDebugPrivilege 460 RegSvcs.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
payment information.exedescription pid process target process PID 4840 wrote to memory of 3748 4840 payment information.exe RegSvcs.exe PID 4840 wrote to memory of 3748 4840 payment information.exe RegSvcs.exe PID 4840 wrote to memory of 3748 4840 payment information.exe RegSvcs.exe PID 4840 wrote to memory of 460 4840 payment information.exe RegSvcs.exe PID 4840 wrote to memory of 460 4840 payment information.exe RegSvcs.exe PID 4840 wrote to memory of 460 4840 payment information.exe RegSvcs.exe PID 4840 wrote to memory of 460 4840 payment information.exe RegSvcs.exe PID 4840 wrote to memory of 460 4840 payment information.exe RegSvcs.exe PID 4840 wrote to memory of 460 4840 payment information.exe RegSvcs.exe PID 4840 wrote to memory of 460 4840 payment information.exe RegSvcs.exe PID 4840 wrote to memory of 460 4840 payment information.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment information.exe"C:\Users\Admin\AppData\Local\Temp\payment information.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵PID:3748
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:460 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 460 -s 13883⤵
- Program crash
PID:3404
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 460 -ip 4601⤵PID:3504