Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 11:20
Static task
static1
Behavioral task
behavioral1
Sample
yWQK3JWrMiYdSNG.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
yWQK3JWrMiYdSNG.exe
Resource
win10v2004-20240226-en
General
-
Target
yWQK3JWrMiYdSNG.exe
-
Size
632KB
-
MD5
6ceddbf6cce1a61048b8c9f2f42108c5
-
SHA1
a9aadd0abed5397ae62f6095e5b05f5d5eb9055f
-
SHA256
105c79d054029dcf3d38c5ba526dc7c111cc2e2e6fb2555a88c0820a6ba9eb52
-
SHA512
e9f733cad22fbb711ea029039aefe799c6172e81b275f93c8699d912e289e47ee93b1282f005e941780284ad74359d85aa20d583754eb39c11581ab8c090e1b7
-
SSDEEP
12288:lZcsd8531D0sDjNvu56pw/XVyBcYZkYeUZJouWPZzQvX/Lgf2LWl:ltK1D0+NW5MeVyB8LGJouq6//Ef2al
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.funworld.co.id - Port:
587 - Username:
[email protected] - Password:
fwp123mail - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1956 set thread context of 2628 1956 yWQK3JWrMiYdSNG.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3028 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2628 yWQK3JWrMiYdSNG.exe 2628 yWQK3JWrMiYdSNG.exe 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2628 yWQK3JWrMiYdSNG.exe Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2628 yWQK3JWrMiYdSNG.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 1956 wrote to memory of 2672 1956 yWQK3JWrMiYdSNG.exe 28 PID 1956 wrote to memory of 2672 1956 yWQK3JWrMiYdSNG.exe 28 PID 1956 wrote to memory of 2672 1956 yWQK3JWrMiYdSNG.exe 28 PID 1956 wrote to memory of 2672 1956 yWQK3JWrMiYdSNG.exe 28 PID 1956 wrote to memory of 3028 1956 yWQK3JWrMiYdSNG.exe 30 PID 1956 wrote to memory of 3028 1956 yWQK3JWrMiYdSNG.exe 30 PID 1956 wrote to memory of 3028 1956 yWQK3JWrMiYdSNG.exe 30 PID 1956 wrote to memory of 3028 1956 yWQK3JWrMiYdSNG.exe 30 PID 1956 wrote to memory of 2628 1956 yWQK3JWrMiYdSNG.exe 32 PID 1956 wrote to memory of 2628 1956 yWQK3JWrMiYdSNG.exe 32 PID 1956 wrote to memory of 2628 1956 yWQK3JWrMiYdSNG.exe 32 PID 1956 wrote to memory of 2628 1956 yWQK3JWrMiYdSNG.exe 32 PID 1956 wrote to memory of 2628 1956 yWQK3JWrMiYdSNG.exe 32 PID 1956 wrote to memory of 2628 1956 yWQK3JWrMiYdSNG.exe 32 PID 1956 wrote to memory of 2628 1956 yWQK3JWrMiYdSNG.exe 32 PID 1956 wrote to memory of 2628 1956 yWQK3JWrMiYdSNG.exe 32 PID 1956 wrote to memory of 2628 1956 yWQK3JWrMiYdSNG.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\SVxgdVWqIPqwco.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\SVxgdVWqIPqwco" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3A23.tmp"2⤵
- Creates scheduled task(s)
PID:3028
-
-
C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"C:\Users\Admin\AppData\Local\Temp\yWQK3JWrMiYdSNG.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2628
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD53b3fd0bf1ce63b96d762bb061353c1b0
SHA16779808da1826487e2043a5033f34e4c35c23680
SHA256e5866608eb75b7be96ad0374968324501c2c9c1cb0af8f9eb1047c1484e068e1
SHA5127a174e5ba2ca313ba7e1a523efa463bbbbfba338076ea74ad7adc5d48b5465ed8d017e75a672982afa0254e1c102452d43cefa654113ab8c7b60ddd2133ffd9e