Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
12-12-2023 14:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payment information.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
General
-
Target
payment information.exe
-
Size
662KB
-
MD5
601faa896b9ddbf2e26564f88e5f2280
-
SHA1
fc542a95d91dcd6c7ec461e1796b49167bf3a8f9
-
SHA256
f24a13886b4f210691bf73566963618b370ca0781cf65cb212cafb13e12060ff
-
SHA512
7bcf72a99a6c4f2044c09866211bf489dea9a3c628f63db3eddea23b08516fbf7434c852daa1d22e8fd4e0bfcd621dfe1991285f91477780bcb6ddabcb48324c
-
SSDEEP
12288:njobG+4WpAEvyQvEsTLEzOC0lamfm1cjZxdDWDCzklbpe+f2+:spAEosfE8amfm2jZxdDQDHe
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
MAIL.starmech.in - Port:
587 - Username:
[email protected] - Password:
gaging@2022 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2876-3-0x0000000000650000-0x0000000000668000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment information.exedescription pid process target process PID 2876 set thread context of 2144 2876 payment information.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
payment information.exeRegSvcs.exepid process 2876 payment information.exe 2876 payment information.exe 2144 RegSvcs.exe 2144 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment information.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2876 payment information.exe Token: SeDebugPrivilege 2144 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
payment information.exedescription pid process target process PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe PID 2876 wrote to memory of 2144 2876 payment information.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment information.exe"C:\Users\Admin\AppData\Local\Temp\payment information.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2876 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2144