Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 13:17
Static task
static1
Behavioral task
behavioral1
Sample
BF-TL-605877001.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BF-TL-605877001.exe
Resource
win10v2004-20240226-en
General
-
Target
BF-TL-605877001.exe
-
Size
481KB
-
MD5
d555da013d512f714926dd3213083e5d
-
SHA1
25ae9c59ae5b3bfe27933981b0a68a0445b22458
-
SHA256
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457
-
SHA512
7f3ad943dbdec3c803f8664d2095add10deb9477acf8c3784411708401a7ca748969fba617a82cd212a0070ec84c061719b9d2175b7570ea68b7b51f97b590e0
-
SSDEEP
6144:0stUW74e1KpFcqsIi3IDCIHA/lWGHalBNLrK2OgBBmdN3MVqRw6aPMGGmGlH:02UWwFZCTsG4BNSgB43MBm
Malware Config
Extracted
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
moIynCqPXDmd
Extracted
agenttesla
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
moIynCqPXDmd - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral2/memory/3624-5-0x0000000006360000-0x0000000006560000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-6-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-7-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-9-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-11-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-13-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-15-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-17-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-19-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-21-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-23-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-25-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-27-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-29-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-31-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-33-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-35-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-37-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-39-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-41-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-43-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-45-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-47-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-49-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-51-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-53-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-55-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-57-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-59-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-61-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-63-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-65-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-67-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/3624-69-0x0000000006360000-0x000000000655B000-memory.dmp family_zgrat_v1 behavioral2/memory/4404-4830-0x0000000005E90000-0x0000000006116000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp1A0B.tmp.exe family_purelog_stealer behavioral2/memory/4404-4823-0x0000000000C10000-0x0000000000C8C000-memory.dmp family_purelog_stealer -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BF-TL-605877001.exefel.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation BF-TL-605877001.exe Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation fel.exe -
Executes dropped EXE 3 IoCs
Processes:
fel.exetmp1A0B.tmp.exetmp1A0B.tmp.exepid process 3300 fel.exe 4404 tmp1A0B.tmp.exe 4848 tmp1A0B.tmp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
BF-TL-605877001.exetmp1A0B.tmp.exetmp1A0B.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" BF-TL-605877001.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" tmp1A0B.tmp.exe Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ckje = "C:\\Users\\Admin\\AppData\\Roaming\\deebf\\ckje.exe" tmp1A0B.tmp.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 79 api.ipify.org 80 ip-api.com 78 api.ipify.org -
Suspicious use of SetThreadContext 2 IoCs
Processes:
BF-TL-605877001.exetmp1A0B.tmp.exedescription pid process target process PID 3624 set thread context of 4308 3624 BF-TL-605877001.exe BF-TL-605877001.exe PID 4404 set thread context of 4848 4404 tmp1A0B.tmp.exe tmp1A0B.tmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
tmp1A0B.tmp.exepid process 4848 tmp1A0B.tmp.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
BF-TL-605877001.exepid process 4308 BF-TL-605877001.exe 4308 BF-TL-605877001.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
BF-TL-605877001.exeBF-TL-605877001.exefel.exetmp1A0B.tmp.exetmp1A0B.tmp.exedescription pid process Token: SeDebugPrivilege 3624 BF-TL-605877001.exe Token: SeDebugPrivilege 4308 BF-TL-605877001.exe Token: SeDebugPrivilege 3300 fel.exe Token: SeDebugPrivilege 4404 tmp1A0B.tmp.exe Token: SeDebugPrivilege 4848 tmp1A0B.tmp.exe -
Suspicious use of WriteProcessMemory 22 IoCs
Processes:
BF-TL-605877001.exefel.exetmp1A0B.tmp.exedescription pid process target process PID 3624 wrote to memory of 3300 3624 BF-TL-605877001.exe fel.exe PID 3624 wrote to memory of 3300 3624 BF-TL-605877001.exe fel.exe PID 3624 wrote to memory of 3300 3624 BF-TL-605877001.exe fel.exe PID 3624 wrote to memory of 4308 3624 BF-TL-605877001.exe BF-TL-605877001.exe PID 3624 wrote to memory of 4308 3624 BF-TL-605877001.exe BF-TL-605877001.exe PID 3624 wrote to memory of 4308 3624 BF-TL-605877001.exe BF-TL-605877001.exe PID 3624 wrote to memory of 4308 3624 BF-TL-605877001.exe BF-TL-605877001.exe PID 3624 wrote to memory of 4308 3624 BF-TL-605877001.exe BF-TL-605877001.exe PID 3624 wrote to memory of 4308 3624 BF-TL-605877001.exe BF-TL-605877001.exe PID 3624 wrote to memory of 4308 3624 BF-TL-605877001.exe BF-TL-605877001.exe PID 3624 wrote to memory of 4308 3624 BF-TL-605877001.exe BF-TL-605877001.exe PID 3300 wrote to memory of 4404 3300 fel.exe tmp1A0B.tmp.exe PID 3300 wrote to memory of 4404 3300 fel.exe tmp1A0B.tmp.exe PID 3300 wrote to memory of 4404 3300 fel.exe tmp1A0B.tmp.exe PID 4404 wrote to memory of 4848 4404 tmp1A0B.tmp.exe tmp1A0B.tmp.exe PID 4404 wrote to memory of 4848 4404 tmp1A0B.tmp.exe tmp1A0B.tmp.exe PID 4404 wrote to memory of 4848 4404 tmp1A0B.tmp.exe tmp1A0B.tmp.exe PID 4404 wrote to memory of 4848 4404 tmp1A0B.tmp.exe tmp1A0B.tmp.exe PID 4404 wrote to memory of 4848 4404 tmp1A0B.tmp.exe tmp1A0B.tmp.exe PID 4404 wrote to memory of 4848 4404 tmp1A0B.tmp.exe tmp1A0B.tmp.exe PID 4404 wrote to memory of 4848 4404 tmp1A0B.tmp.exe tmp1A0B.tmp.exe PID 4404 wrote to memory of 4848 4404 tmp1A0B.tmp.exe tmp1A0B.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3624 -
C:\Users\Admin\AppData\Local\Temp\fel.exe"C:\Users\Admin\AppData\Local\Temp\fel.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3300 -
C:\Users\Admin\AppData\Local\Temp\tmp1A0B.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp1A0B.tmp.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\tmp1A0B.tmp.exeC:\Users\Admin\AppData\Local\Temp\tmp1A0B.tmp.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
PID:4848 -
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exeC:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4308
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
Filesize
1KB
MD5435e0068bcb9090064eedccd2e18bfca
SHA19329bc444452d8ac807b085e0428b159e8eed352
SHA2565721053800850afc4469bf2d079768d6d3444c6cb64394978830355ec1babdc6
SHA5126c26cac18fff415ce13c12cef4656596b32d41d918c34419e39de16b27fecd4c4c912301c2293bb9c101df41ebf08a996fa26c2460c5934c5de44f01f8aab9f6
-
Filesize
35KB
MD5b47c31e89b4cacc864b6279983b4ffc3
SHA1b082036aa2adb45f2db952d8dcd200fe766cf3cf
SHA25634109344250f9884f7414b7d31de4f6627d4378e0723446fa836b18b60e8ed84
SHA512d4febd99d7a9c554aa091ba2a03508bfefcd27ae33f04920865b3802cddcdb1960001acbcb5fab8cf61dc7a1427158b432ffa1c47d377e9417377635a15c994e
-
Filesize
481KB
MD53a44104fb5d035d1cd725732e94a5e8d
SHA1cb3f89df88e1468bca9d5ca01d22588791884ecb
SHA256dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08
SHA512eebe4acc924ef0284d7303ae581d29e67f1f2c23042b3a42e37b3bccedc28d10e3370a4221a95dd07c6d930d5bfae606de3a954f625f13a0eedc2eca8921acc1