Analysis
-
max time kernel
157s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
13-03-2024 02:49
Static task
static1
Behavioral task
behavioral1
Sample
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe
Resource
win10v2004-20240226-en
General
-
Target
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe
-
Size
481KB
-
MD5
d555da013d512f714926dd3213083e5d
-
SHA1
25ae9c59ae5b3bfe27933981b0a68a0445b22458
-
SHA256
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457
-
SHA512
7f3ad943dbdec3c803f8664d2095add10deb9477acf8c3784411708401a7ca748969fba617a82cd212a0070ec84c061719b9d2175b7570ea68b7b51f97b590e0
-
SSDEEP
6144:0stUW74e1KpFcqsIi3IDCIHA/lWGHalBNLrK2OgBBmdN3MVqRw6aPMGGmGlH:02UWwFZCTsG4BNSgB43MBm
Malware Config
Extracted
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
moIynCqPXDmd
Extracted
agenttesla
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
moIynCqPXDmd - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 35 IoCs
Processes:
resource yara_rule behavioral2/memory/60-4-0x0000000005E60000-0x0000000006060000-memory.dmp family_zgrat_v1 behavioral2/memory/60-5-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-6-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-8-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-10-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-12-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-14-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-16-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-18-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-20-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-22-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-24-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-26-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-28-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-30-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-32-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-34-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-36-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-38-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-40-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-42-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-44-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-46-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-48-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-50-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-52-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-54-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-56-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-58-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-60-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-62-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-64-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-66-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/60-68-0x0000000005E60000-0x000000000605B000-memory.dmp family_zgrat_v1 behavioral2/memory/828-4830-0x0000000005FB0000-0x0000000006236000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\tmpA330.tmp.exe family_purelog_stealer behavioral2/memory/828-4823-0x0000000000D20000-0x0000000000D9C000-memory.dmp family_purelog_stealer -
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-4806-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-4806-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-4806-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-4806-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-4806-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-4806-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4232-4806-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exefel.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe Key value queried \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation fel.exe -
Executes dropped EXE 2 IoCs
Processes:
fel.exetmpA330.tmp.exepid process 4316 fel.exe 828 tmpA330.tmp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exetmpA330.tmp.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Ozhvdskglxw = "C:\\Users\\Admin\\AppData\\Roaming\\Ozhvdskglxw.exe" tmpA330.tmp.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 69 api.ipify.org 70 api.ipify.org 71 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exedescription pid process target process PID 60 set thread context of 4232 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exepid process 4232 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe 4232 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe 4232 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exefel.exee837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exetmpA330.tmp.exedescription pid process Token: SeDebugPrivilege 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe Token: SeDebugPrivilege 4316 fel.exe Token: SeDebugPrivilege 4232 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe Token: SeDebugPrivilege 828 tmpA330.tmp.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exefel.exedescription pid process target process PID 60 wrote to memory of 4316 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe fel.exe PID 60 wrote to memory of 4316 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe fel.exe PID 60 wrote to memory of 4316 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe fel.exe PID 60 wrote to memory of 4232 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe PID 60 wrote to memory of 4232 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe PID 60 wrote to memory of 4232 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe PID 60 wrote to memory of 4232 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe PID 60 wrote to memory of 4232 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe PID 60 wrote to memory of 4232 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe PID 60 wrote to memory of 4232 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe PID 60 wrote to memory of 4232 60 e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe PID 4316 wrote to memory of 828 4316 fel.exe tmpA330.tmp.exe PID 4316 wrote to memory of 828 4316 fel.exe tmpA330.tmp.exe PID 4316 wrote to memory of 828 4316 fel.exe tmpA330.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe"C:\Users\Admin\AppData\Local\Temp\e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:60 -
C:\Users\Admin\AppData\Local\Temp\fel.exe"C:\Users\Admin\AppData\Local\Temp\fel.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4316 -
C:\Users\Admin\AppData\Local\Temp\tmpA330.tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmpA330.tmp.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
PID:828 -
C:\Users\Admin\AppData\Local\Temp\e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exeC:\Users\Admin\AppData\Local\Temp\e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\e837bf6c58ee97ebdb7c3d58a733f3d527bf0150f1eb551af6707f71d54a3457.exe.log
Filesize1KB
MD5c3941d9fa38f1717d5cecd7a2ca71667
SHA133b5362675383b58b4166ed9f9a61e5aa6768d2e
SHA256f1ed6ff1cd3df219061e32df1c75d6f48de6484cf50e5ea7d86cd8bcfcb93256
SHA51298f103ef97d32bf8c0566a6f6da5cf8d58d18f698c1b3e5bd0be0ea8462f5fe54c2e5e6b5188f2b7d8f70082ffd6745b1f7f6cab95af474e2b7eaed50a9d9c45
-
Filesize
35KB
MD5b47c31e89b4cacc864b6279983b4ffc3
SHA1b082036aa2adb45f2db952d8dcd200fe766cf3cf
SHA25634109344250f9884f7414b7d31de4f6627d4378e0723446fa836b18b60e8ed84
SHA512d4febd99d7a9c554aa091ba2a03508bfefcd27ae33f04920865b3802cddcdb1960001acbcb5fab8cf61dc7a1427158b432ffa1c47d377e9417377635a15c994e
-
Filesize
481KB
MD53a44104fb5d035d1cd725732e94a5e8d
SHA1cb3f89df88e1468bca9d5ca01d22588791884ecb
SHA256dcb623cc7f3f21e92e4878c82ce79582fdf6ba1e5e0c76f19097d1496e6c4b08
SHA512eebe4acc924ef0284d7303ae581d29e67f1f2c23042b3a42e37b3bccedc28d10e3370a4221a95dd07c6d930d5bfae606de3a954f625f13a0eedc2eca8921acc1