Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
30-04-2024 01:34
Behavioral task
behavioral1
Sample
0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exe
Resource
win10v2004-20240419-en
General
-
Target
0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exe
-
Size
240KB
-
MD5
65435ea324a28dcd1b314b1b10c02951
-
SHA1
497a4463db2b8db7279dafa3ddb2496e01dde04f
-
SHA256
0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac
-
SHA512
37afe959669d5fb1ccd95704140c7ae5a7323bdfc8325cac3e4b372e936996963ee0f01ddcf7c0b4c06a4edaa89b0d6284774d3a77250647178c8647095b23fe
-
SSDEEP
3072:6PMVHbnDyj0OC928iyv2Kjhp+2c2FjYrQCBa4XlYflXXEz5RgM7dE4l01:6PMVHbnDygOC92aCQ46fpXEIM7e
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7109324415:AAEtV_HPY0H5mFN38xCDvDx9wl-kKb9q3qg/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3411335054-1982420046-2118495756-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\huYFv = "C:\\Users\\Admin\\AppData\\Roaming\\huYFv\\huYFv.exe" 0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 16 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exepid process 400 0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exe 400 0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exedescription pid process Token: SeDebugPrivilege 400 0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exe"C:\Users\Admin\AppData\Local\Temp\0d55d9509730eade8dac7811d508b7ab0df6c018e2867b3af69c7c309f9006ac.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/400-0-0x00000000008B0000-0x00000000008F2000-memory.dmpFilesize
264KB
-
memory/400-1-0x00000000749C0000-0x0000000075170000-memory.dmpFilesize
7.7MB
-
memory/400-2-0x0000000005860000-0x0000000005E04000-memory.dmpFilesize
5.6MB
-
memory/400-3-0x0000000005400000-0x0000000005410000-memory.dmpFilesize
64KB
-
memory/400-4-0x0000000005480000-0x00000000054E6000-memory.dmpFilesize
408KB
-
memory/400-6-0x0000000006970000-0x00000000069C0000-memory.dmpFilesize
320KB
-
memory/400-7-0x0000000006A60000-0x0000000006AFC000-memory.dmpFilesize
624KB
-
memory/400-8-0x0000000006CA0000-0x0000000006D32000-memory.dmpFilesize
584KB
-
memory/400-9-0x0000000006C60000-0x0000000006C6A000-memory.dmpFilesize
40KB
-
memory/400-10-0x00000000749C0000-0x0000000075170000-memory.dmpFilesize
7.7MB
-
memory/400-11-0x0000000005400000-0x0000000005410000-memory.dmpFilesize
64KB