Analysis
-
max time kernel
135s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 14:34
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
payment information.exe
Resource
win7-20231129-en
windows7-x64
7 signatures
150 seconds
General
-
Target
payment information.exe
-
Size
662KB
-
MD5
601faa896b9ddbf2e26564f88e5f2280
-
SHA1
fc542a95d91dcd6c7ec461e1796b49167bf3a8f9
-
SHA256
f24a13886b4f210691bf73566963618b370ca0781cf65cb212cafb13e12060ff
-
SHA512
7bcf72a99a6c4f2044c09866211bf489dea9a3c628f63db3eddea23b08516fbf7434c852daa1d22e8fd4e0bfcd621dfe1991285f91477780bcb6ddabcb48324c
-
SSDEEP
12288:njobG+4WpAEvyQvEsTLEzOC0lamfm1cjZxdDWDCzklbpe+f2+:spAEosfE8amfm2jZxdDQDHe
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
MAIL.starmech.in - Port:
587 - Username:
[email protected] - Password:
gaging@2022 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4060-6-0x0000000005AF0000-0x0000000005B08000-memory.dmp family_zgrat_v1 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment information.exedescription pid process target process PID 4060 set thread context of 208 4060 payment information.exe RegSvcs.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2608 208 WerFault.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
payment information.exeRegSvcs.exepid process 4060 payment information.exe 4060 payment information.exe 208 RegSvcs.exe 208 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
payment information.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 4060 payment information.exe Token: SeDebugPrivilege 208 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
payment information.exedescription pid process target process PID 4060 wrote to memory of 208 4060 payment information.exe RegSvcs.exe PID 4060 wrote to memory of 208 4060 payment information.exe RegSvcs.exe PID 4060 wrote to memory of 208 4060 payment information.exe RegSvcs.exe PID 4060 wrote to memory of 208 4060 payment information.exe RegSvcs.exe PID 4060 wrote to memory of 208 4060 payment information.exe RegSvcs.exe PID 4060 wrote to memory of 208 4060 payment information.exe RegSvcs.exe PID 4060 wrote to memory of 208 4060 payment information.exe RegSvcs.exe PID 4060 wrote to memory of 208 4060 payment information.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment information.exe"C:\Users\Admin\AppData\Local\Temp\payment information.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4060 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:208 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 13803⤵
- Program crash
PID:2608
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 208 -ip 2081⤵PID:2804