Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 13:16
Static task
static1
Behavioral task
behavioral1
Sample
BF-TL-605877001.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BF-TL-605877001.exe
Resource
win10v2004-20240226-en
General
-
Target
BF-TL-605877001.exe
-
Size
481KB
-
MD5
d555da013d512f714926dd3213083e5d
-
SHA1
25ae9c59ae5b3bfe27933981b0a68a0445b22458
-
SHA256
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457
-
SHA512
7f3ad943dbdec3c803f8664d2095add10deb9477acf8c3784411708401a7ca748969fba617a82cd212a0070ec84c061719b9d2175b7570ea68b7b51f97b590e0
-
SSDEEP
6144:0stUW74e1KpFcqsIi3IDCIHA/lWGHalBNLrK2OgBBmdN3MVqRw6aPMGGmGlH:02UWwFZCTsG4BNSgB43MBm
Malware Config
Extracted
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
moIynCqPXDmd
Extracted
agenttesla
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
moIynCqPXDmd - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral2/memory/1208-4-0x00000000055B0000-0x00000000057B0000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-5-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-6-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-8-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-10-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-12-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-14-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-16-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-18-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-20-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-22-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-24-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-26-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-28-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-30-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-32-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-34-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-36-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-38-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-40-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-42-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-44-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-46-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-48-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-50-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-52-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-54-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-56-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-58-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-60-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-62-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-64-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-66-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/1208-68-0x00000000055B0000-0x00000000057AB000-memory.dmp family_zgrat_v1 behavioral2/memory/3020-4833-0x0000000005E60000-0x00000000060E6000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe family_purelog_stealer behavioral2/memory/3020-4824-0x0000000000BD0000-0x0000000000C4C000-memory.dmp family_purelog_stealer -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BF-TL-605877001.exefel.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation BF-TL-605877001.exe Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation fel.exe -
Executes dropped EXE 2 IoCs
Processes:
fel.exetmp9872.tmp.exepid process 2900 fel.exe 3020 tmp9872.tmp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
BF-TL-605877001.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" BF-TL-605877001.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 77 api.ipify.org 78 api.ipify.org 79 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BF-TL-605877001.exedescription pid process target process PID 1208 set thread context of 3640 1208 BF-TL-605877001.exe BF-TL-605877001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
BF-TL-605877001.exeBF-TL-605877001.exepid process 1208 BF-TL-605877001.exe 1208 BF-TL-605877001.exe 1208 BF-TL-605877001.exe 1208 BF-TL-605877001.exe 1208 BF-TL-605877001.exe 1208 BF-TL-605877001.exe 3640 BF-TL-605877001.exe 3640 BF-TL-605877001.exe 3640 BF-TL-605877001.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
BF-TL-605877001.exefel.exeBF-TL-605877001.exetmp9872.tmp.exedescription pid process Token: SeDebugPrivilege 1208 BF-TL-605877001.exe Token: SeDebugPrivilege 2900 fel.exe Token: SeDebugPrivilege 3640 BF-TL-605877001.exe Token: SeDebugPrivilege 3020 tmp9872.tmp.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
BF-TL-605877001.exefel.exedescription pid process target process PID 1208 wrote to memory of 2900 1208 BF-TL-605877001.exe fel.exe PID 1208 wrote to memory of 2900 1208 BF-TL-605877001.exe fel.exe PID 1208 wrote to memory of 2900 1208 BF-TL-605877001.exe fel.exe PID 1208 wrote to memory of 4204 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 4204 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 4204 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3892 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3892 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3892 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 5012 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 5012 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 5012 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3640 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3640 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3640 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3640 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3640 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3640 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3640 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 1208 wrote to memory of 3640 1208 BF-TL-605877001.exe BF-TL-605877001.exe PID 2900 wrote to memory of 3020 2900 fel.exe tmp9872.tmp.exe PID 2900 wrote to memory of 3020 2900 fel.exe tmp9872.tmp.exe PID 2900 wrote to memory of 3020 2900 fel.exe tmp9872.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Users\Admin\AppData\Local\Temp\fel.exe"C:\Users\Admin\AppData\Local\Temp\fel.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2900 -
C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp9872.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exeC:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe2⤵PID:4204
-
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exeC:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe2⤵PID:3892
-
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exeC:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe2⤵PID:5012
-
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exeC:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3640
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
Filesize
35KB
MD5b47c31e89b4cacc864b6279983b4ffc3
SHA1b082036aa2adb45f2db952d8dcd200fe766cf3cf
SHA25634109344250f9884f7414b7d31de4f6627d4378e0723446fa836b18b60e8ed84
SHA512d4febd99d7a9c554aa091ba2a03508bfefcd27ae33f04920865b3802cddcdb1960001acbcb5fab8cf61dc7a1427158b432ffa1c47d377e9417377635a15c994e
-
Filesize
481KB
MD53a44104fb5d035d1cd725732e94a5e8d
SHA1cb3f89df88e1468bca9d5ca01d22588791884ecb
SHA256dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08
SHA512eebe4acc924ef0284d7303ae581d29e67f1f2c23042b3a42e37b3bccedc28d10e3370a4221a95dd07c6d930d5bfae606de3a954f625f13a0eedc2eca8921acc1