Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 13:17
Static task
static1
Behavioral task
behavioral1
Sample
BF-TL-605877001.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
BF-TL-605877001.exe
Resource
win10v2004-20240226-en
General
-
Target
BF-TL-605877001.exe
-
Size
481KB
-
MD5
d555da013d512f714926dd3213083e5d
-
SHA1
25ae9c59ae5b3bfe27933981b0a68a0445b22458
-
SHA256
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457
-
SHA512
7f3ad943dbdec3c803f8664d2095add10deb9477acf8c3784411708401a7ca748969fba617a82cd212a0070ec84c061719b9d2175b7570ea68b7b51f97b590e0
-
SSDEEP
6144:0stUW74e1KpFcqsIi3IDCIHA/lWGHalBNLrK2OgBBmdN3MVqRw6aPMGGmGlH:02UWwFZCTsG4BNSgB43MBm
Malware Config
Extracted
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
moIynCqPXDmd
Extracted
agenttesla
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
moIynCqPXDmd - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral2/memory/4288-4-0x0000000005620000-0x0000000005820000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-5-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-6-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-8-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-10-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-12-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-14-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-16-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-18-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-20-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-22-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-24-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-26-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-28-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-30-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-32-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-34-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-36-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-38-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-40-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-42-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-46-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-44-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-48-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-50-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-52-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-54-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-56-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-58-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-60-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-62-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-64-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-66-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4288-68-0x0000000005620000-0x000000000581B000-memory.dmp family_zgrat_v1 behavioral2/memory/4640-4836-0x00000000053A0000-0x0000000005626000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmp91CB.tmp.exe family_purelog_stealer behavioral2/memory/4640-4827-0x0000000000100000-0x000000000017C000-memory.dmp family_purelog_stealer -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BF-TL-605877001.exefel.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation BF-TL-605877001.exe Key value queried \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\Control Panel\International\Geo\Nation fel.exe -
Executes dropped EXE 2 IoCs
Processes:
fel.exetmp91CB.tmp.exepid process 4480 fel.exe 4640 tmp91CB.tmp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
BF-TL-605877001.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1904519900-954640453-4250331663-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" BF-TL-605877001.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 66 api.ipify.org 67 api.ipify.org 68 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BF-TL-605877001.exedescription pid process target process PID 4288 set thread context of 3032 4288 BF-TL-605877001.exe BF-TL-605877001.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
BF-TL-605877001.exeBF-TL-605877001.exepid process 4288 BF-TL-605877001.exe 4288 BF-TL-605877001.exe 3032 BF-TL-605877001.exe 3032 BF-TL-605877001.exe 3032 BF-TL-605877001.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
BF-TL-605877001.exefel.exeBF-TL-605877001.exetmp91CB.tmp.exedescription pid process Token: SeDebugPrivilege 4288 BF-TL-605877001.exe Token: SeDebugPrivilege 4480 fel.exe Token: SeDebugPrivilege 3032 BF-TL-605877001.exe Token: SeDebugPrivilege 4640 tmp91CB.tmp.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
BF-TL-605877001.exefel.exedescription pid process target process PID 4288 wrote to memory of 4480 4288 BF-TL-605877001.exe fel.exe PID 4288 wrote to memory of 4480 4288 BF-TL-605877001.exe fel.exe PID 4288 wrote to memory of 4480 4288 BF-TL-605877001.exe fel.exe PID 4288 wrote to memory of 2956 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4288 wrote to memory of 2956 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4288 wrote to memory of 2956 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4288 wrote to memory of 3032 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4288 wrote to memory of 3032 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4288 wrote to memory of 3032 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4288 wrote to memory of 3032 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4288 wrote to memory of 3032 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4288 wrote to memory of 3032 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4288 wrote to memory of 3032 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4288 wrote to memory of 3032 4288 BF-TL-605877001.exe BF-TL-605877001.exe PID 4480 wrote to memory of 4640 4480 fel.exe tmp91CB.tmp.exe PID 4480 wrote to memory of 4640 4480 fel.exe tmp91CB.tmp.exe PID 4480 wrote to memory of 4640 4480 fel.exe tmp91CB.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Users\Admin\AppData\Local\Temp\fel.exe"C:\Users\Admin\AppData\Local\Temp\fel.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Users\Admin\AppData\Local\Temp\tmp91CB.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp91CB.tmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4640 -
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exeC:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe2⤵PID:2956
-
C:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exeC:\Users\Admin\AppData\Local\Temp\BF-TL-605877001.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2256,i,9172343514068348080,519219714517961765,262144 --variations-seed-version /prefetch:81⤵PID:3816
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
Filesize
35KB
MD5b47c31e89b4cacc864b6279983b4ffc3
SHA1b082036aa2adb45f2db952d8dcd200fe766cf3cf
SHA25634109344250f9884f7414b7d31de4f6627d4378e0723446fa836b18b60e8ed84
SHA512d4febd99d7a9c554aa091ba2a03508bfefcd27ae33f04920865b3802cddcdb1960001acbcb5fab8cf61dc7a1427158b432ffa1c47d377e9417377635a15c994e
-
Filesize
481KB
MD53a44104fb5d035d1cd725732e94a5e8d
SHA1cb3f89df88e1468bca9d5ca01d22588791884ecb
SHA256dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08
SHA512eebe4acc924ef0284d7303ae581d29e67f1f2c23042b3a42e37b3bccedc28d10e3370a4221a95dd07c6d930d5bfae606de3a954f625f13a0eedc2eca8921acc1