Analysis
-
max time kernel
149s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
28-03-2024 02:40
Static task
static1
Behavioral task
behavioral1
Sample
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe
Resource
win10v2004-20240319-en
General
-
Target
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe
-
Size
602KB
-
MD5
cdef16a2a2116cd907aa817b11217cfd
-
SHA1
d23ba1f017c0e65ba65203c889a2bea963d63d3a
-
SHA256
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
-
SHA512
9ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
-
SSDEEP
12288:lYyGYZS6ESbpYa4i2BzmVNhsBQN/nRTOPihFr3iUR42q6N:IUDESbwylT/nRKWrPN
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
terminal4.veeblehosting.com - Port:
587 - Username:
OTUJI@gomuga.com - Password:
Ifeanyi1987@ - Email To:
otuji@kailmaticarbon.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3876-14-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3876-14-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3876-14-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL -
Detects executables packed with or use KoiVM 1 IoCs
Processes:
resource yara_rule behavioral2/memory/560-3-0x0000018719650000-0x00000187196E6000-memory.dmp INDICATOR_EXE_Packed_KoiVM -
Detects executables referencing Windows vault credential objects. Observed in infostealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3876-14-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3876-14-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3876-14-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3876-14-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 2556 svchost.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe\"" da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 46 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
svchost.exedescription pid process target process PID 2556 set thread context of 3876 2556 svchost.exe regasm.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2372 timeout.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exeregasm.exepid process 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe 3876 regasm.exe 3876 regasm.exe 3876 regasm.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exesvchost.exeregasm.exesvchost.exedescription pid process Token: SeDebugPrivilege 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe Token: SeDebugPrivilege 2556 svchost.exe Token: SeDebugPrivilege 3876 regasm.exe Token: SeManageVolumePrivilege 828 svchost.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.execmd.execmd.exesvchost.exedescription pid process target process PID 560 wrote to memory of 3736 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe cmd.exe PID 560 wrote to memory of 3736 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe cmd.exe PID 560 wrote to memory of 4464 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe cmd.exe PID 560 wrote to memory of 4464 560 da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe cmd.exe PID 3736 wrote to memory of 4360 3736 cmd.exe schtasks.exe PID 3736 wrote to memory of 4360 3736 cmd.exe schtasks.exe PID 4464 wrote to memory of 2372 4464 cmd.exe timeout.exe PID 4464 wrote to memory of 2372 4464 cmd.exe timeout.exe PID 4464 wrote to memory of 2556 4464 cmd.exe svchost.exe PID 4464 wrote to memory of 2556 4464 cmd.exe svchost.exe PID 2556 wrote to memory of 3876 2556 svchost.exe regasm.exe PID 2556 wrote to memory of 3876 2556 svchost.exe regasm.exe PID 2556 wrote to memory of 3876 2556 svchost.exe regasm.exe PID 2556 wrote to memory of 3876 2556 svchost.exe regasm.exe PID 2556 wrote to memory of 3876 2556 svchost.exe regasm.exe PID 2556 wrote to memory of 3876 2556 svchost.exe regasm.exe PID 2556 wrote to memory of 3876 2556 svchost.exe regasm.exe PID 2556 wrote to memory of 3876 2556 svchost.exe regasm.exe PID 2556 wrote to memory of 2056 2556 svchost.exe regasm.exe PID 2556 wrote to memory of 2056 2556 svchost.exe regasm.exe PID 2556 wrote to memory of 2056 2556 svchost.exe regasm.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe"C:\Users\Admin\AppData\Local\Temp\da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"' & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /f /sc onlogon /rl highest /tn "svchost" /tr '"C:\Users\Admin\AppData\Roaming\svchost.exe"'3⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6A33.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\svchost.exe"C:\Users\Admin\AppData\Roaming\svchost.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"4⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4088 --field-trial-handle=2292,i,2927097380497635931,2014459809064723663,262144 --variations-seed-version /prefetch:81⤵
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6A33.tmp.batFilesize
151B
MD5f7c9a72f71bae8d624d72faf75672419
SHA13939123cc0bcb11ba317ec34905bd9ccd096b4f8
SHA256af096731f87a7aead701872aa29d89624cdf940459497c14b223b0cf1fe780b2
SHA512ff2641dccfdc395f2c62f28c0299de8e244d9fe8c053bb1d859065f7c623daae57336eb73beba860f8399a409a10c2c15f0fa6b6595632e2fbdacfd77812138e
-
C:\Users\Admin\AppData\Roaming\svchost.exeFilesize
602KB
MD5cdef16a2a2116cd907aa817b11217cfd
SHA1d23ba1f017c0e65ba65203c889a2bea963d63d3a
SHA256da6572812314662cf364e04dc4db580245e4598063fe952cb509575ca88392f6
SHA5129ad7168fd876ceb36229330092f2f70d5a305e9422ff7cc321684c3210ad217a214ed517041f0738eb1a98b977232dcf01d8f8e6a3ca03e3a6261baef94d90ae
-
memory/560-3-0x0000018719650000-0x00000187196E6000-memory.dmpFilesize
600KB
-
memory/560-8-0x00007FFE6D3F0000-0x00007FFE6DEB1000-memory.dmpFilesize
10.8MB
-
memory/560-2-0x0000018719550000-0x0000018719560000-memory.dmpFilesize
64KB
-
memory/560-1-0x00007FFE6D3F0000-0x00007FFE6DEB1000-memory.dmpFilesize
10.8MB
-
memory/560-0-0x000001877EDD0000-0x000001877EDD8000-memory.dmpFilesize
32KB
-
memory/828-25-0x000002A26FA40000-0x000002A26FA50000-memory.dmpFilesize
64KB
-
memory/828-61-0x000002A277F70000-0x000002A277F71000-memory.dmpFilesize
4KB
-
memory/828-60-0x000002A277E60000-0x000002A277E61000-memory.dmpFilesize
4KB
-
memory/828-59-0x000002A277E60000-0x000002A277E61000-memory.dmpFilesize
4KB
-
memory/828-57-0x000002A277E30000-0x000002A277E31000-memory.dmpFilesize
4KB
-
memory/828-41-0x000002A26FB40000-0x000002A26FB50000-memory.dmpFilesize
64KB
-
memory/2556-13-0x00007FFE6C6B0000-0x00007FFE6D171000-memory.dmpFilesize
10.8MB
-
memory/2556-19-0x00007FFE6C6B0000-0x00007FFE6D171000-memory.dmpFilesize
10.8MB
-
memory/3876-18-0x0000000005240000-0x00000000052A6000-memory.dmpFilesize
408KB
-
memory/3876-22-0x0000000006820000-0x000000000682A000-memory.dmpFilesize
40KB
-
memory/3876-23-0x00000000745B0000-0x0000000074D60000-memory.dmpFilesize
7.7MB
-
memory/3876-24-0x00000000054A0000-0x00000000054B0000-memory.dmpFilesize
64KB
-
memory/3876-21-0x0000000006890000-0x0000000006922000-memory.dmpFilesize
584KB
-
memory/3876-20-0x00000000067A0000-0x00000000067F0000-memory.dmpFilesize
320KB
-
memory/3876-17-0x00000000054A0000-0x00000000054B0000-memory.dmpFilesize
64KB
-
memory/3876-16-0x0000000005A60000-0x0000000006004000-memory.dmpFilesize
5.6MB
-
memory/3876-15-0x00000000745B0000-0x0000000074D60000-memory.dmpFilesize
7.7MB
-
memory/3876-14-0x0000000000400000-0x0000000000442000-memory.dmpFilesize
264KB