Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 12:09
Static task
static1
Behavioral task
behavioral1
Sample
Balance payment made.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Balance payment made.exe
Resource
win10v2004-20240226-en
General
-
Target
Balance payment made.exe
-
Size
332KB
-
MD5
719c42cc090147553a6c1579c91b4789
-
SHA1
f3fea4df3bc34e90501a5b9c413a62184f67ff4f
-
SHA256
c0f96896bb7e168d46975892f9bafc3358fc769568969ee421e7a0dd51ed899a
-
SHA512
b1baa052046a238aede67262d716effd5d95fc5c4de9e241a26f31e4a80ce80e50e5d31d40677a817145e52b5418e7a0e992cfd706ce0c17851624f066de94b4
-
SSDEEP
6144:x5wdIQrN5LW7fl1FtNLscgZwsKQs67yqcJu8eZA4uDT3+dhB:PwmwxW7d1hvgZwXQs6+M8UAjDS
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.etiprim.com - Port:
587 - Username:
[email protected] - Password:
ETP@habiballah2023 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2144 set thread context of 1616 2144 Balance payment made.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1616 Balance payment made.exe 1616 Balance payment made.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1616 Balance payment made.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2144 wrote to memory of 1616 2144 Balance payment made.exe 28 PID 2144 wrote to memory of 1616 2144 Balance payment made.exe 28 PID 2144 wrote to memory of 1616 2144 Balance payment made.exe 28 PID 2144 wrote to memory of 1616 2144 Balance payment made.exe 28 PID 2144 wrote to memory of 1616 2144 Balance payment made.exe 28 PID 2144 wrote to memory of 1616 2144 Balance payment made.exe 28 PID 2144 wrote to memory of 1616 2144 Balance payment made.exe 28 PID 2144 wrote to memory of 1616 2144 Balance payment made.exe 28 PID 2144 wrote to memory of 1616 2144 Balance payment made.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Balance payment made.exe"C:\Users\Admin\AppData\Local\Temp\Balance payment made.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Users\Admin\AppData\Local\Temp\Balance payment made.exe"C:\Users\Admin\AppData\Local\Temp\Balance payment made.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-