Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
26-04-2024 01:03
Static task
static1
Behavioral task
behavioral1
Sample
d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe
Resource
win10v2004-20240412-en
General
-
Target
d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe
-
Size
636KB
-
MD5
b9df3bc72171550875457bca5b4f9042
-
SHA1
1517de29c1c62ecb854c9ae82028a439d6f737cd
-
SHA256
d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c
-
SHA512
85c89a984c3ad8d42dc9b4e66cb0495d24fd2fa7d935e2daa019f1af34ebe0ef2562be5fc06a61ed59a78913bdb5d5acbc9c3dcaf62e5b22699b60eac8a06282
-
SSDEEP
12288:6sRelh9xGjhzYIzn4IOpmKsLesMcNr0dniYgd4tllBEjjEMimCi3:6UyU5YIz4IQ6esMcN2nFI6VEjj5iRC
Malware Config
Extracted
Protocol: smtp- Host:
mail.lilydesign.com.tr - Port:
587 - Username:
[email protected] - Password:
1207HAmza*
Extracted
agenttesla
Protocol: smtp- Host:
mail.lilydesign.com.tr - Port:
587 - Username:
[email protected] - Password:
1207HAmza* - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 24 api.ipify.org 26 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exedescription pid process target process PID 4288 set thread context of 2080 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jsc.exepid process 2080 jsc.exe 2080 jsc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exejsc.exedescription pid process Token: SeDebugPrivilege 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe Token: SeDebugPrivilege 2080 jsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
jsc.exepid process 2080 jsc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exedescription pid process target process PID 4288 wrote to memory of 2080 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe PID 4288 wrote to memory of 2080 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe PID 4288 wrote to memory of 2080 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe PID 4288 wrote to memory of 2080 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe PID 4288 wrote to memory of 2080 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe PID 4288 wrote to memory of 2080 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe PID 4288 wrote to memory of 2080 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe PID 4288 wrote to memory of 2080 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe PID 4288 wrote to memory of 1656 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe PID 4288 wrote to memory of 1656 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe PID 4288 wrote to memory of 1656 4288 d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe"C:\Users\Admin\AppData\Local\Temp\d4b0d250879757b13113d03ca5ab449771e5f4a31ab082dba16d124498a98e5c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵PID:1656
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2080-8-0x0000000005940000-0x0000000005950000-memory.dmpFilesize
64KB
-
memory/2080-10-0x0000000007060000-0x00000000070B0000-memory.dmpFilesize
320KB
-
memory/2080-15-0x0000000005940000-0x0000000005950000-memory.dmpFilesize
64KB
-
memory/2080-14-0x00000000748E0000-0x0000000075090000-memory.dmpFilesize
7.7MB
-
memory/2080-13-0x0000000007230000-0x000000000723A000-memory.dmpFilesize
40KB
-
memory/2080-5-0x00000000748E0000-0x0000000075090000-memory.dmpFilesize
7.7MB
-
memory/2080-12-0x0000000007290000-0x0000000007322000-memory.dmpFilesize
584KB
-
memory/2080-6-0x0000000005F00000-0x00000000064A4000-memory.dmpFilesize
5.6MB
-
memory/2080-4-0x0000000000400000-0x0000000000440000-memory.dmpFilesize
256KB
-
memory/2080-11-0x0000000007150000-0x00000000071EC000-memory.dmpFilesize
624KB
-
memory/2080-7-0x00000000059C0000-0x0000000005A26000-memory.dmpFilesize
408KB
-
memory/4288-9-0x00007FFF3F6B0000-0x00007FFF40171000-memory.dmpFilesize
10.8MB
-
memory/4288-1-0x00007FFF3F6B0000-0x00007FFF40171000-memory.dmpFilesize
10.8MB
-
memory/4288-0-0x000001E2508A0000-0x000001E2508B0000-memory.dmpFilesize
64KB
-
memory/4288-3-0x000001E250C70000-0x000001E250D06000-memory.dmpFilesize
600KB
-
memory/4288-2-0x000001E26AF40000-0x000001E26AF50000-memory.dmpFilesize
64KB