Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 09:03
Behavioral task
behavioral1
Sample
3384-4910-0x0000000000400000-0x000000000044B000-memory.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
3384-4910-0x0000000000400000-0x000000000044B000-memory.exe
Resource
win10v2004-20240508-en
General
-
Target
3384-4910-0x0000000000400000-0x000000000044B000-memory.exe
-
Size
300KB
-
MD5
89f413212bcb3c3eb5a5d496bf33c812
-
SHA1
319e057de2b5fc74f5d40507d314e005de2cab35
-
SHA256
375829ac1424371c42781a040e71774597f1e2da3b10df0f0937479da24f4241
-
SHA512
af92e2f1a941ff3560b56de8fde953a9bfcf80c606f12cf2683b32dfc64015cc82cc52c05234dbf9d3803ec7332044b9b4741f2c1a04c7f15fcdf4679f5277a4
-
SSDEEP
6144:cl+xRRRRp3EagaSHorWtWTmFduCNXaKluwhOq3bjBZYl:9xRRRRp3LgaSHorWtWCuCNZ3BZYl
Malware Config
Extracted
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
s9jjoVvaZchS
Extracted
asyncrat
0.5.7B
April3rd2024
94.156.65.181:3434
A234sdgrgMutex_6SI8OkPnk
-
delay
3
-
install
false
-
install_folder
%AppData%
Extracted
agenttesla
Protocol: smtp- Host:
66.29.151.236 - Port:
587 - Username:
[email protected] - Password:
s9jjoVvaZchS - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Async RAT payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\FB_6497.tmp.exe family_asyncrat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
3384-4910-0x0000000000400000-0x000000000044B000-memory.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation 3384-4910-0x0000000000400000-0x000000000044B000-memory.exe -
Executes dropped EXE 2 IoCs
Processes:
FB_6419.tmp.exeFB_6497.tmp.exepid process 3284 FB_6419.tmp.exe 1668 FB_6497.tmp.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 api.ipify.org 20 api.ipify.org -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
FB_6419.tmp.exepid process 3284 FB_6419.tmp.exe 3284 FB_6419.tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
FB_6419.tmp.exedescription pid process Token: SeDebugPrivilege 3284 FB_6419.tmp.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3384-4910-0x0000000000400000-0x000000000044B000-memory.exedescription pid process target process PID 4872 wrote to memory of 3284 4872 3384-4910-0x0000000000400000-0x000000000044B000-memory.exe FB_6419.tmp.exe PID 4872 wrote to memory of 3284 4872 3384-4910-0x0000000000400000-0x000000000044B000-memory.exe FB_6419.tmp.exe PID 4872 wrote to memory of 3284 4872 3384-4910-0x0000000000400000-0x000000000044B000-memory.exe FB_6419.tmp.exe PID 4872 wrote to memory of 1668 4872 3384-4910-0x0000000000400000-0x000000000044B000-memory.exe FB_6497.tmp.exe PID 4872 wrote to memory of 1668 4872 3384-4910-0x0000000000400000-0x000000000044B000-memory.exe FB_6497.tmp.exe PID 4872 wrote to memory of 1668 4872 3384-4910-0x0000000000400000-0x000000000044B000-memory.exe FB_6497.tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3384-4910-0x0000000000400000-0x000000000044B000-memory.exe"C:\Users\Admin\AppData\Local\Temp\3384-4910-0x0000000000400000-0x000000000044B000-memory.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4872 -
C:\Users\Admin\AppData\Local\Temp\FB_6419.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_6419.tmp.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3284
-
-
C:\Users\Admin\AppData\Local\Temp\FB_6497.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_6497.tmp.exe"2⤵
- Executes dropped EXE
PID:1668
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
237KB
MD58c4c985b5719d0acadafb2cc03f0e86e
SHA10e0644087a29575b5c4a1d3b76a79cf95c577d7b
SHA256a2007da837ca22cd0e894946f9ce20a3352ac42c34c5930c159730ea4538e79b
SHA5128255101de0ed591128c5d093cd683193a24f5044fc297e6e51ae58714b121164b480c9868c477c24d653a231dc17db4c5f78de9ccc084e14133cc95e14e6219c
-
Filesize
45KB
MD5ac190c9e687b2c110354d3809d32a57d
SHA13fdfeca134e469f6ac42e03b3d39359313fb36fc
SHA2566c0291916555438da7d3705991100d295d480ae58b98147a4d83fbd3cfb8dc19
SHA512161ae735acf5b60c6c906c1b0223838987a24cbb410623af2495b31e2e663561a6ecf1ad5f08956a6fb2134ebd32aaaa1573bae7e1c4abdfb7fb0ca8b2a9ecb5