Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2023 01:19
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.RATX-gen.1832.exe
Resource
win7-20231201-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.RATX-gen.1832.exe
Resource
win10v2004-20231130-en
General
-
Target
SecuriteInfo.com.Win32.RATX-gen.1832.exe
-
Size
811KB
-
MD5
7fb1638e865e58b80b1726a7f7be73f9
-
SHA1
d1a0f23aa68c74558b2762d21cab404d7ca92217
-
SHA256
4ac078a48ff7d80ccbc37c526e395b51f900c8206afe29e27b2a84bd2cd84532
-
SHA512
c6e24465c67beb6b849ce386065812915160d2cd6afca7a5a9d210a056c3ca6d559d2e7fa494c41da7a0c484b080748210d623b38ebd8b98226c3c511d96b672
-
SSDEEP
12288:Wd6tmebg0pGSMujFv+HUL1300mv6wjIq40+vSIRmx8x4+/LVmIK8:WAtmebgIRvsKJ00mnjIE+v10IZ
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
NX@@OLDdollarDV8FW7 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4672-6-0x0000000005C80000-0x0000000005C98000-memory.dmp family_zgrat_v1 -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.1832.exedescription pid process target process PID 4672 set thread context of 640 4672 SecuriteInfo.com.Win32.RATX-gen.1832.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 640 RegSvcs.exe 640 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 640 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SecuriteInfo.com.Win32.RATX-gen.1832.exedescription pid process target process PID 4672 wrote to memory of 640 4672 SecuriteInfo.com.Win32.RATX-gen.1832.exe RegSvcs.exe PID 4672 wrote to memory of 640 4672 SecuriteInfo.com.Win32.RATX-gen.1832.exe RegSvcs.exe PID 4672 wrote to memory of 640 4672 SecuriteInfo.com.Win32.RATX-gen.1832.exe RegSvcs.exe PID 4672 wrote to memory of 640 4672 SecuriteInfo.com.Win32.RATX-gen.1832.exe RegSvcs.exe PID 4672 wrote to memory of 640 4672 SecuriteInfo.com.Win32.RATX-gen.1832.exe RegSvcs.exe PID 4672 wrote to memory of 640 4672 SecuriteInfo.com.Win32.RATX-gen.1832.exe RegSvcs.exe PID 4672 wrote to memory of 640 4672 SecuriteInfo.com.Win32.RATX-gen.1832.exe RegSvcs.exe PID 4672 wrote to memory of 640 4672 SecuriteInfo.com.Win32.RATX-gen.1832.exe RegSvcs.exe -
outlook_office_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe -
outlook_win_path 1 IoCs
Processes:
RegSvcs.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-423100829-2271632622-1028104103-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.1832.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.1832.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:640