Analysis
-
max time kernel
147s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
04-03-2024 17:13
Behavioral task
behavioral1
Sample
1709572324fc61a57503b4e7923083f394d2c7056db56d1cbf28169de3b6fb3850adf86696460.dat-decoded.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
1709572324fc61a57503b4e7923083f394d2c7056db56d1cbf28169de3b6fb3850adf86696460.dat-decoded.exe
Resource
win10v2004-20240226-en
General
-
Target
1709572324fc61a57503b4e7923083f394d2c7056db56d1cbf28169de3b6fb3850adf86696460.dat-decoded.exe
-
Size
239KB
-
MD5
41a05027ae1abc87471806912d541084
-
SHA1
498dbb5ca1454c9d24417ec753f6b4d19df43d37
-
SHA256
0a7ed7874b472f88b5d20a911c35ba4eb3c973ad384920485ea360ade4bcfaca
-
SHA512
6b5d68d68f7008833b3150cdbe252082c856600680cee15283e82bfb7e75cd597a3c0c91dd63159448f76fcdda8bbc95dde88dd2efca52c38f1232b8eb9ddf35
-
SSDEEP
3072:70h/QEgsg2dnI0feplAMNX7D3U7G55kAI4Q5XMVdVJy9jAh:YNQEgsg2dnhehRHU7GcA/bVy
Malware Config
Extracted
Protocol: smtp- Host:
3dlens.net - Port:
587 - Username:
[email protected] - Password:
Bukky101@
Extracted
agenttesla
Protocol: smtp- Host:
3dlens.net - Port:
587 - Username:
[email protected] - Password:
Bukky101@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2240 1709572324fc61a57503b4e7923083f394d2c7056db56d1cbf28169de3b6fb3850adf86696460.dat-decoded.exe 2240 1709572324fc61a57503b4e7923083f394d2c7056db56d1cbf28169de3b6fb3850adf86696460.dat-decoded.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2240 1709572324fc61a57503b4e7923083f394d2c7056db56d1cbf28169de3b6fb3850adf86696460.dat-decoded.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1709572324fc61a57503b4e7923083f394d2c7056db56d1cbf28169de3b6fb3850adf86696460.dat-decoded.exe"C:\Users\Admin\AppData\Local\Temp\1709572324fc61a57503b4e7923083f394d2c7056db56d1cbf28169de3b6fb3850adf86696460.dat-decoded.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2240