Analysis
-
max time kernel
150s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-03-2024 03:03
Behavioral task
behavioral1
Sample
f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe
Resource
win10v2004-20240226-en
General
-
Target
f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe
-
Size
409KB
-
MD5
a64f48e05fc7d21131ee7f86181413b0
-
SHA1
5f34901b97296aa07e210810bbf75269a2701113
-
SHA256
f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08
-
SHA512
af4c41f4d6da19ef88b037ba8498057e5bff7460b4c7abc604652898ed775dc547e06627618d422e6f3396b7dbb6a9388f5db46c56d08dabf02b3df5e5355ff4
-
SSDEEP
1536:jxGspx6tjTBchm0hOrtHhYJu6RlXKd+8kGoY5arTKyAWNHRjmz+4H444lM:1LUzAetBeW+8kGP5arTKyjxh4H444lM
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6359093814:AAF_EjsxYKPM2ufeJYS89EiAg_4CPa-HNlM/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 34 IoCs
Processes:
resource yara_rule behavioral2/memory/1888-4-0x0000000005650000-0x0000000005876000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-5-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-6-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-8-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-10-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-12-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-14-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-16-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-18-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-20-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-22-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-24-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-26-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-28-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-30-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-32-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-34-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-36-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-38-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-40-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-42-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-44-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-46-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-48-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-50-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-52-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-54-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-56-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-58-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-60-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-62-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-64-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-66-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 behavioral2/memory/1888-68-0x0000000005650000-0x0000000005871000-memory.dmp family_zgrat_v1 -
PureLog Stealer
PureLog Stealer is an infostealer written in C#.
-
PureLog Stealer payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1888-1-0x00000000000B0000-0x000000000011C000-memory.dmp family_purelog_stealer behavioral2/memory/1888-2-0x0000000004A80000-0x0000000004A90000-memory.dmp family_purelog_stealer -
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1416-4794-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1416-4794-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1416-4794-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1416-4794-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1416-4794-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/1416-4794-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Suspicious use of SetThreadContext 1 IoCs
Processes:
f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exedescription pid process target process PID 1888 set thread context of 1416 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exeaspnet_compiler.exepid process 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe 1416 aspnet_compiler.exe 1416 aspnet_compiler.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exeaspnet_compiler.exedescription pid process Token: SeDebugPrivilege 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe Token: SeDebugPrivilege 1416 aspnet_compiler.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exedescription pid process target process PID 1888 wrote to memory of 4080 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe PID 1888 wrote to memory of 4080 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe PID 1888 wrote to memory of 4080 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe PID 1888 wrote to memory of 1416 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe PID 1888 wrote to memory of 1416 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe PID 1888 wrote to memory of 1416 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe PID 1888 wrote to memory of 1416 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe PID 1888 wrote to memory of 1416 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe PID 1888 wrote to memory of 1416 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe PID 1888 wrote to memory of 1416 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe PID 1888 wrote to memory of 1416 1888 f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe aspnet_compiler.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe"C:\Users\Admin\AppData\Local\Temp\f5872c6b688de34eb008a355b6d2106c2a3260f44df4747fb4eaeb26beedde08.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe2⤵PID:4080
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1416