Analysis
-
max time kernel
122s -
max time network
191s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
29-03-2024 01:55
Static task
static1
Behavioral task
behavioral1
Sample
Bank slip.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Bank slip.exe
Resource
win10v2004-20240226-en
General
-
Target
Bank slip.exe
-
Size
810KB
-
MD5
dfa4d69d102efe18603b643e03cd916f
-
SHA1
104857721a2a10211bf4638fc1aac4f01026839d
-
SHA256
ae7f2736fd9aa11676e139b0d89f702cd2fab6660b9b589c1feddc4898520c41
-
SHA512
0e248fc8bbc5db13db05c266b46a0bbd4900de17c5208c881fc66ff0732cd67af50000936da1a1b198fefa9e9407388fdf9ff78116b5b2abdaa02817a67f46fe
-
SSDEEP
12288:GfpsApRsBWD84RF1RSaXXqftMwjfBCQr60ijTLGSCB8rBCg09poeV:GtpRse40MvCVTGhBoCX9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.kabeercommodities.com - Port:
587 - Username:
[email protected] - Password:
w{A6H.o&sz%g - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank slip.exedescription pid process target process PID 2536 set thread context of 2656 2536 Bank slip.exe Bank slip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
Bank slip.exeBank slip.exepowershell.exepowershell.exepid process 2536 Bank slip.exe 2536 Bank slip.exe 2536 Bank slip.exe 2536 Bank slip.exe 2536 Bank slip.exe 2536 Bank slip.exe 2536 Bank slip.exe 2536 Bank slip.exe 2536 Bank slip.exe 2656 Bank slip.exe 2656 Bank slip.exe 1232 powershell.exe 2456 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
Bank slip.exeBank slip.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 2536 Bank slip.exe Token: SeDebugPrivilege 2656 Bank slip.exe Token: SeDebugPrivilege 1232 powershell.exe Token: SeDebugPrivilege 2456 powershell.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
Bank slip.exedescription pid process target process PID 2536 wrote to memory of 2456 2536 Bank slip.exe powershell.exe PID 2536 wrote to memory of 2456 2536 Bank slip.exe powershell.exe PID 2536 wrote to memory of 2456 2536 Bank slip.exe powershell.exe PID 2536 wrote to memory of 2456 2536 Bank slip.exe powershell.exe PID 2536 wrote to memory of 1232 2536 Bank slip.exe powershell.exe PID 2536 wrote to memory of 1232 2536 Bank slip.exe powershell.exe PID 2536 wrote to memory of 1232 2536 Bank slip.exe powershell.exe PID 2536 wrote to memory of 1232 2536 Bank slip.exe powershell.exe PID 2536 wrote to memory of 1976 2536 Bank slip.exe schtasks.exe PID 2536 wrote to memory of 1976 2536 Bank slip.exe schtasks.exe PID 2536 wrote to memory of 1976 2536 Bank slip.exe schtasks.exe PID 2536 wrote to memory of 1976 2536 Bank slip.exe schtasks.exe PID 2536 wrote to memory of 2064 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2064 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2064 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2064 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 1600 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 1600 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 1600 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 1600 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2656 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2656 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2656 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2656 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2656 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2656 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2656 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2656 2536 Bank slip.exe Bank slip.exe PID 2536 wrote to memory of 2656 2536 Bank slip.exe Bank slip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uhoFDbAUHRPNgj.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uhoFDbAUHRPNgj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp60C6.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp60C6.tmpFilesize
1KB
MD51f27436a7ef4ea8908bac76f85cfb9a2
SHA196200bdad076484374df6d9f0faafd89903d2bc6
SHA2567cd82f1bc8336139353b1c79dda2fa1502d7fcf01a1c07e7684c5907ed520054
SHA512d4811ede17b28c3a2717c9940661511643666548cef0cbc621fe808c885281ce4a46ad6ffe974dc3965a30940339049ed32383378951af9ac734f947609fcd61
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD502d151bc70608d80dfde82b85097929d
SHA1cb45c429a76f0bc60da0c7ef7c7404d34efe9836
SHA25679ea2d941082f5aad9ea68270f3ae94daa727e356cfbcfa5ea11545809d37c7d
SHA51283804499ed34620c05b7992a18f68ae10b6ec73dea074bfe9ed4e436e6e9b37637471f6348fe1c440d9b907bb89ffa69aaff041e9533ff5700f30f4a5c9ebfff
-
memory/1232-41-0x000000006DEC0000-0x000000006E46B000-memory.dmpFilesize
5.7MB
-
memory/1232-39-0x00000000021C0000-0x0000000002200000-memory.dmpFilesize
256KB
-
memory/1232-35-0x000000006DEC0000-0x000000006E46B000-memory.dmpFilesize
5.7MB
-
memory/1232-33-0x000000006DEC0000-0x000000006E46B000-memory.dmpFilesize
5.7MB
-
memory/2456-37-0x0000000002320000-0x0000000002360000-memory.dmpFilesize
256KB
-
memory/2456-36-0x000000006DEC0000-0x000000006E46B000-memory.dmpFilesize
5.7MB
-
memory/2456-32-0x000000006DEC0000-0x000000006E46B000-memory.dmpFilesize
5.7MB
-
memory/2456-34-0x0000000002320000-0x0000000002360000-memory.dmpFilesize
256KB
-
memory/2456-42-0x000000006DEC0000-0x000000006E46B000-memory.dmpFilesize
5.7MB
-
memory/2536-6-0x0000000074440000-0x0000000074B2E000-memory.dmpFilesize
6.9MB
-
memory/2536-2-0x0000000000590000-0x00000000005D0000-memory.dmpFilesize
256KB
-
memory/2536-4-0x00000000003D0000-0x00000000003DC000-memory.dmpFilesize
48KB
-
memory/2536-0-0x0000000000140000-0x0000000000210000-memory.dmpFilesize
832KB
-
memory/2536-1-0x0000000074440000-0x0000000074B2E000-memory.dmpFilesize
6.9MB
-
memory/2536-3-0x0000000000520000-0x000000000053A000-memory.dmpFilesize
104KB
-
memory/2536-19-0x0000000000590000-0x00000000005D0000-memory.dmpFilesize
256KB
-
memory/2536-31-0x0000000074440000-0x0000000074B2E000-memory.dmpFilesize
6.9MB
-
memory/2536-5-0x0000000004F80000-0x0000000005002000-memory.dmpFilesize
520KB
-
memory/2656-23-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2656-30-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2656-28-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2656-26-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2656-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2656-38-0x0000000004A30000-0x0000000004A70000-memory.dmpFilesize
256KB
-
memory/2656-22-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2656-40-0x0000000073140000-0x000000007382E000-memory.dmpFilesize
6.9MB
-
memory/2656-21-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2656-20-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2656-43-0x0000000004A30000-0x0000000004A70000-memory.dmpFilesize
256KB
-
memory/2656-44-0x0000000073140000-0x000000007382E000-memory.dmpFilesize
6.9MB