Analysis
-
max time kernel
118s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03/04/2024, 19:27
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Win32.TrojanX-gen.27067.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.Win32.TrojanX-gen.27067.exe
Resource
win10v2004-20240319-en
General
-
Target
SecuriteInfo.com.Win32.TrojanX-gen.27067.exe
-
Size
621KB
-
MD5
ed67717191ea530e47d854ec8aa4b7e9
-
SHA1
343f7cc70fd3d2760388f6531eaa1e8b0c5aa353
-
SHA256
24798002b81be4c9b37539e1abea61cccb014cbd427fe1a27d6822e1ffedc7d9
-
SHA512
9f2d3b4c950d788e380a677872e385c1bc70f7619512b5e2968be4a4bf4d10d22d7181638ff214b8c776be0f3508437b196cd1af09d343298fef568bb6d69bc6
-
SSDEEP
12288:ohWsbRVjnZE8wC/f3/Ehz2Wlse0B+J/djfNe8TMzmBYcyI/wdXbMei:ynjZIC/P/O6uz0B+vZzfZjwJM
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
PMOYQrU0 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2332 set thread context of 2468 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2696 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 2640 powershell.exe 2540 powershell.exe 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 2468 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 2468 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2540 powershell.exe Token: SeDebugPrivilege 2468 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 2332 wrote to memory of 2640 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 28 PID 2332 wrote to memory of 2640 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 28 PID 2332 wrote to memory of 2640 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 28 PID 2332 wrote to memory of 2640 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 28 PID 2332 wrote to memory of 2540 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 30 PID 2332 wrote to memory of 2540 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 30 PID 2332 wrote to memory of 2540 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 30 PID 2332 wrote to memory of 2540 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 30 PID 2332 wrote to memory of 2696 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 32 PID 2332 wrote to memory of 2696 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 32 PID 2332 wrote to memory of 2696 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 32 PID 2332 wrote to memory of 2696 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 32 PID 2332 wrote to memory of 2436 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 34 PID 2332 wrote to memory of 2436 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 34 PID 2332 wrote to memory of 2436 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 34 PID 2332 wrote to memory of 2436 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 34 PID 2332 wrote to memory of 2468 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 35 PID 2332 wrote to memory of 2468 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 35 PID 2332 wrote to memory of 2468 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 35 PID 2332 wrote to memory of 2468 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 35 PID 2332 wrote to memory of 2468 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 35 PID 2332 wrote to memory of 2468 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 35 PID 2332 wrote to memory of 2468 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 35 PID 2332 wrote to memory of 2468 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 35 PID 2332 wrote to memory of 2468 2332 SecuriteInfo.com.Win32.TrojanX-gen.27067.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\aKEhifRzA.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aKEhifRzA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA3ED.tmp"2⤵
- Creates scheduled task(s)
PID:2696
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.exe"2⤵PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.TrojanX-gen.27067.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5f075f8ab5e1c2db2acdc9fb2a99f85a2
SHA109789667ae193513499a51f4dfd03b45ffe0df76
SHA256879f892211481fa7b3d3614c9c8bcf3fe6f38763c513b251d1c5057f1db7b688
SHA5128005597c7883f7ef34794c3721089c3e7324883bbd2dde1c21c31cc9deb0f008dc007dce5fc06c8d8fbf97e49f8b9511a2cc3a24bad61d11d0640e007099bc20
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BWWG1ZXUHJ741DI2EOLZ.temp
Filesize7KB
MD5fe62b28d46e721c4367832ffee701bf3
SHA1e2e0f46433ac3e8cb97ebc7eda558e6479de75bd
SHA25615e65183cf20fb9dac06166c3bbbc7454f837e7bdd3ee95c87880dfa55f46784
SHA512537f87e577e292236db20931dadcb865678215556996293b1c99591755297132a0a4d8e65ddd7ad3ade1a1dc5c9203238f9026f3e0bf171250ef92f0028d63f8