Analysis
-
max time kernel
140s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe
Resource
win10v2004-20231215-en
General
-
Target
eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe
-
Size
481KB
-
MD5
c4db22e342217e2d4a81fd7b023b7028
-
SHA1
b91ce461be008ec24faf2c0d72ad90e78567b82a
-
SHA256
eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35
-
SHA512
862b0e1718bcad58cb7406caa21de1b6933775d344cb566bc21c191810fb803a3fe019ac8032456a7003d5a5431ef18871f9d4ce477326bff2b70b81a47cb0b5
-
SSDEEP
6144:+Jt8tGAKfaFmS9q1izbKM94xkw+DR/6hb4Wx+7tS6OKIBGNLUY2yYBBndN3MVqRZ:+b8tHm+6xkwKRS5+4GNl8B93MB+
Malware Config
Extracted
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
DRaa8A9L3DVc
Extracted
agenttesla
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
DRaa8A9L3DVc - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral2/memory/1696-4-0x0000000006370000-0x0000000006570000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-5-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-6-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-8-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-10-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-12-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-14-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-16-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-18-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-20-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-24-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-22-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-26-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-28-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-30-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-32-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-34-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-36-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-38-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-40-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-42-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-44-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-46-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-48-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-50-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-52-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-54-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-56-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-58-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-60-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-62-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-64-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-66-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1696-68-0x0000000006370000-0x000000000656A000-memory.dmp family_zgrat_v1 behavioral2/memory/1260-4829-0x0000000005FE0000-0x0000000006266000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmpEE77.tmp.exe family_purelog_stealer behavioral2/memory/1260-4821-0x0000000000D50000-0x0000000000DCC000-memory.dmp family_purelog_stealer -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exefel.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation fel.exe -
Executes dropped EXE 4 IoCs
Processes:
fel.exetmpEE77.tmp.exetmpEE77.tmp.exetmpEE77.tmp.exepid process 3068 fel.exe 1260 tmpEE77.tmp.exe 3484 tmpEE77.tmp.exe 1696 tmpEE77.tmp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
tmpEE77.tmp.exetmpEE77.tmp.exeeb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" tmpEE77.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckje = "C:\\Users\\Admin\\AppData\\Roaming\\deebf\\ckje.exe" tmpEE77.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 45 api.ipify.org 46 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
Processes:
eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exetmpEE77.tmp.exedescription pid process target process PID 1696 set thread context of 1568 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe PID 1260 set thread context of 1696 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
tmpEE77.tmp.exepid process 1696 tmpEE77.tmp.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exetmpEE77.tmp.exepid process 1568 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe 1568 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe 1260 tmpEE77.tmp.exe 1260 tmpEE77.tmp.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exefel.exeeb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exetmpEE77.tmp.exetmpEE77.tmp.exedescription pid process Token: SeDebugPrivilege 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe Token: SeDebugPrivilege 3068 fel.exe Token: SeDebugPrivilege 1568 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe Token: SeDebugPrivilege 1260 tmpEE77.tmp.exe Token: SeDebugPrivilege 1696 tmpEE77.tmp.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exefel.exetmpEE77.tmp.exedescription pid process target process PID 1696 wrote to memory of 3068 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe fel.exe PID 1696 wrote to memory of 3068 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe fel.exe PID 1696 wrote to memory of 3068 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe fel.exe PID 1696 wrote to memory of 1568 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe PID 1696 wrote to memory of 1568 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe PID 1696 wrote to memory of 1568 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe PID 1696 wrote to memory of 1568 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe PID 1696 wrote to memory of 1568 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe PID 1696 wrote to memory of 1568 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe PID 1696 wrote to memory of 1568 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe PID 1696 wrote to memory of 1568 1696 eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe PID 3068 wrote to memory of 1260 3068 fel.exe tmpEE77.tmp.exe PID 3068 wrote to memory of 1260 3068 fel.exe tmpEE77.tmp.exe PID 3068 wrote to memory of 1260 3068 fel.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 3484 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 3484 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 3484 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 1696 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 1696 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 1696 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 1696 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 1696 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 1696 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 1696 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe PID 1260 wrote to memory of 1696 1260 tmpEE77.tmp.exe tmpEE77.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe"C:\Users\Admin\AppData\Local\Temp\eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\fel.exe"C:\Users\Admin\AppData\Local\Temp\fel.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Users\Admin\AppData\Local\Temp\tmpEE77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpEE77.tmp.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\tmpEE77.tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpEE77.tmp.exe4⤵
- Executes dropped EXE
PID:3484 -
C:\Users\Admin\AppData\Local\Temp\tmpEE77.tmp.exeC:\Users\Admin\AppData\Local\Temp\tmpEE77.tmp.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:1696 -
C:\Users\Admin\AppData\Local\Temp\eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exeC:\Users\Admin\AppData\Local\Temp\eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1568
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\eb18c1fdf1c1f4360d3de340f309a2e3a991d67273d4bb72297797c731eeec35.exe.log
Filesize1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
Filesize
1KB
MD5435e0068bcb9090064eedccd2e18bfca
SHA19329bc444452d8ac807b085e0428b159e8eed352
SHA2565721053800850afc4469bf2d079768d6d3444c6cb64394978830355ec1babdc6
SHA5126c26cac18fff415ce13c12cef4656596b32d41d918c34419e39de16b27fecd4c4c912301c2293bb9c101df41ebf08a996fa26c2460c5934c5de44f01f8aab9f6
-
Filesize
35KB
MD5b47c31e89b4cacc864b6279983b4ffc3
SHA1b082036aa2adb45f2db952d8dcd200fe766cf3cf
SHA25634109344250f9884f7414b7d31de4f6627d4378e0723446fa836b18b60e8ed84
SHA512d4febd99d7a9c554aa091ba2a03508bfefcd27ae33f04920865b3802cddcdb1960001acbcb5fab8cf61dc7a1427158b432ffa1c47d377e9417377635a15c994e
-
Filesize
481KB
MD53a44104fb5d035d1cd725732e94a5e8d
SHA1cb3f89df88e1468bca9d5ca01d22588791884ecb
SHA256dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08
SHA512eebe4acc924ef0284d7303ae581d29e67f1f2c23042b3a42e37b3bccedc28d10e3370a4221a95dd07c6d930d5bfae606de3a954f625f13a0eedc2eca8921acc1