Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
14-05-2024 15:03
Static task
static1
Behavioral task
behavioral1
Sample
Factura Proforma Nº 2024000107.exe
Resource
win7-20240221-en
General
-
Target
Factura Proforma Nº 2024000107.exe
-
Size
1.2MB
-
MD5
b1a93c951334dd187af4ab129e2729fc
-
SHA1
031ae853bb236ce49cf2db417e54d6b1cf994c79
-
SHA256
00fd3a2a4eb0b43e1b4c897cd57306ec6d3219d2241972350a211362ae33e5aa
-
SHA512
475eab0dfefb0575ab26b1c8c4ba3abbcc97854df45207f73ed2f4b9a224418afad1cfdccf0d95ef88c69311282516931808b9caccd2e0c6e64d7c3f07acbd7a
-
SSDEEP
24576:1qDEvCTbMWu7rQYlBQcBiT6rprG8aMsYQWACbIXiZy5NlD:1TvC/MTQYxsWR7aMYW8iw5z
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect ZGRat V1 33 IoCs
resource yara_rule behavioral1/memory/2624-30-0x0000000000370000-0x00000000003C6000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-31-0x0000000000C70000-0x0000000000CC4000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-65-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-57-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-93-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-92-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-89-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-87-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-85-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-83-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-71-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-69-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-67-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-63-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-61-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-59-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-55-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-53-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-51-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-49-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-45-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-43-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-41-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-39-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-37-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-36-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-34-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-82-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-79-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-77-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-75-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-73-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 behavioral1/memory/2624-47-0x0000000000C70000-0x0000000000CBE000-memory.dmp family_zgrat_v1 -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3064 set thread context of 2624 3064 Factura Proforma Nº 2024000107.exe 30 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2624 RegSvcs.exe 2624 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2400 Factura Proforma Nº 2024000107.exe 3064 Factura Proforma Nº 2024000107.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2624 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2400 Factura Proforma Nº 2024000107.exe 2400 Factura Proforma Nº 2024000107.exe 3064 Factura Proforma Nº 2024000107.exe 3064 Factura Proforma Nº 2024000107.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2400 Factura Proforma Nº 2024000107.exe 2400 Factura Proforma Nº 2024000107.exe 3064 Factura Proforma Nº 2024000107.exe 3064 Factura Proforma Nº 2024000107.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 2400 wrote to memory of 2028 2400 Factura Proforma Nº 2024000107.exe 28 PID 2400 wrote to memory of 2028 2400 Factura Proforma Nº 2024000107.exe 28 PID 2400 wrote to memory of 2028 2400 Factura Proforma Nº 2024000107.exe 28 PID 2400 wrote to memory of 2028 2400 Factura Proforma Nº 2024000107.exe 28 PID 2400 wrote to memory of 2028 2400 Factura Proforma Nº 2024000107.exe 28 PID 2400 wrote to memory of 2028 2400 Factura Proforma Nº 2024000107.exe 28 PID 2400 wrote to memory of 2028 2400 Factura Proforma Nº 2024000107.exe 28 PID 2400 wrote to memory of 3064 2400 Factura Proforma Nº 2024000107.exe 29 PID 2400 wrote to memory of 3064 2400 Factura Proforma Nº 2024000107.exe 29 PID 2400 wrote to memory of 3064 2400 Factura Proforma Nº 2024000107.exe 29 PID 2400 wrote to memory of 3064 2400 Factura Proforma Nº 2024000107.exe 29 PID 3064 wrote to memory of 2624 3064 Factura Proforma Nº 2024000107.exe 30 PID 3064 wrote to memory of 2624 3064 Factura Proforma Nº 2024000107.exe 30 PID 3064 wrote to memory of 2624 3064 Factura Proforma Nº 2024000107.exe 30 PID 3064 wrote to memory of 2624 3064 Factura Proforma Nº 2024000107.exe 30 PID 3064 wrote to memory of 2624 3064 Factura Proforma Nº 2024000107.exe 30 PID 3064 wrote to memory of 2624 3064 Factura Proforma Nº 2024000107.exe 30 PID 3064 wrote to memory of 2624 3064 Factura Proforma Nº 2024000107.exe 30 PID 3064 wrote to memory of 2624 3064 Factura Proforma Nº 2024000107.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"2⤵PID:2028
-
-
C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Factura Proforma Nº 2024000107.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2624
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
263KB
MD56cf3c765268057401b03eca327aa2d87
SHA14cc0f1c03bc77f5a7612adb0bb7f04ba3de8ec8b
SHA256455c788c58930a02e8d465d9639df8e55ebdeb839af4981d4c82fdc8949d04a8
SHA512a92084c528b3a6d9d03a05ce383f4a51d3745f85a852c9f7e32165f31234eefe6d6a9216fc8e15d2da40b75436a21b62616f47a7313c91dd96d21c53db5b4c84
-
Filesize
263KB
MD5ff69e5b87fc95975f561a198436ff13d
SHA1c7530be06a74881045428e4d8bf42b05205445d2
SHA256f943793eadc0fb8f6966cc9c1514f3d68ff194f387fb50290ae64d05db9aa423
SHA5122e5ffa05f06a056c138823726822a3c469ccd1aad29906c20e40c85d0194a99f081f4ecfe2ac73d54fdd2282f8b3b95b4b9fa47c950f3045a36fd862e19da723
-
Filesize
28KB
MD5d150336a77fcd72be6e703391461755d
SHA1d1dd9861ea6295faa178312fdddf85504de531a1
SHA2567c55f821158f3f2ce3608f5f6001b907cd3ce93dbe12c9d296577c00cf41a2b5
SHA512814099f8f991d4c04b3aeb5b24ad778230622991f9198ae0cc31317838bb5217f30fa777f522d873014744c1e84e051bf740baefa7c115da66604a5ac27072ee