Analysis
-
max time kernel
121s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
27-04-2024 01:37
Behavioral task
behavioral1
Sample
fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exe
Resource
win10v2004-20240419-en
General
-
Target
fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exe
-
Size
234KB
-
MD5
685545b03d8a83f08505c1236125eedf
-
SHA1
3f1659d4c2947ee4e34a5ad228aca205f0dc0630
-
SHA256
fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d
-
SHA512
99474261ec360d9727e1103c2f190d2a934c718c36cf59e905af0a27aba033a16ff8ff2b651e3a78af4f3bca82bc771f74c6be01508398ffd06f92ca97c034ad
-
SSDEEP
3072:8AcUyHjvD3D7QnzlSfEq+7DJyD5G10L8f:8ZUyHjvD3D7Qh+w7Fye0w
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.amtechprinting.com - Port:
21 - Username:
[email protected] - Password:
B=OgTAJmiPuN
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\My App = "C:\\Users\\Admin\\AppData\\Roaming\\My App\\My App.exe" fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exepid process 360 fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exe 360 fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exedescription pid process Token: SeDebugPrivilege 360 fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exe"C:\Users\Admin\AppData\Local\Temp\fb4e83e86a7922340756971d6c2de46ecb73aa0e55e62047702149267927dc3d.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken