Analysis
-
max time kernel
152s -
max time network
145s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
07/01/2024, 19:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
ad1f2095f630d9aeadca2ea71aa4f996.exe
Resource
win7-20231215-en
8 signatures
150 seconds
General
-
Target
ad1f2095f630d9aeadca2ea71aa4f996.exe
-
Size
708KB
-
MD5
ad1f2095f630d9aeadca2ea71aa4f996
-
SHA1
b70f3f9f800b7b818ae016ad254d972a8a73ffa7
-
SHA256
24f07c42706495104f82dda5cacb1be3e3c1dda033f7b0ceaf9c5836007baad6
-
SHA512
dcbc71f5d36c1522be7b84cdc73c92f177e7f66994f719a538dddf9ef76f4b4d9f3b7de577eac98be9e14a0e372865388af8925061e55cf3518a22b3d919edc8
-
SSDEEP
12288:TitcoVhwCsYjlhBaB7t6vSajTQAenCfhDV2BwF8:OtrhTj2heThewF8
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
newbeginning
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 34 IoCs
resource yara_rule behavioral1/memory/2804-6-0x0000000006000000-0x0000000006078000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-7-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-8-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-12-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-20-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-26-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-24-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-28-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-22-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-32-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-42-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-48-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-50-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-46-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-44-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-52-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-40-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-38-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-36-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-60-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-70-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-68-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-66-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-64-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-62-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-58-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-56-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-54-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-34-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-30-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-18-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-16-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-14-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 behavioral1/memory/2804-10-0x0000000006000000-0x0000000006073000-memory.dmp family_zgrat_v1 -
AgentTesla payload 3 IoCs
resource yara_rule behavioral1/memory/1736-2236-0x0000000000400000-0x000000000043C000-memory.dmp family_agenttesla behavioral1/memory/1736-2237-0x0000000004AA0000-0x0000000004AE0000-memory.dmp family_agenttesla behavioral1/memory/1736-2239-0x0000000004AA0000-0x0000000004AE0000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2804 set thread context of 1736 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 29 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 1736 ad1f2095f630d9aeadca2ea71aa4f996.exe 1736 ad1f2095f630d9aeadca2ea71aa4f996.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe Token: SeDebugPrivilege 1736 ad1f2095f630d9aeadca2ea71aa4f996.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2804 wrote to memory of 1736 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 29 PID 2804 wrote to memory of 1736 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 29 PID 2804 wrote to memory of 1736 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 29 PID 2804 wrote to memory of 1736 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 29 PID 2804 wrote to memory of 1736 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 29 PID 2804 wrote to memory of 1736 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 29 PID 2804 wrote to memory of 1736 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 29 PID 2804 wrote to memory of 1736 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 29 PID 2804 wrote to memory of 1736 2804 ad1f2095f630d9aeadca2ea71aa4f996.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\ad1f2095f630d9aeadca2ea71aa4f996.exe"C:\Users\Admin\AppData\Local\Temp\ad1f2095f630d9aeadca2ea71aa4f996.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Users\Admin\AppData\Local\Temp\ad1f2095f630d9aeadca2ea71aa4f996.exeC:\Users\Admin\AppData\Local\Temp\ad1f2095f630d9aeadca2ea71aa4f996.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-