Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 03:30
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20240426-en
General
-
Target
tmp.exe
-
Size
714KB
-
MD5
09cf1d5f7315e247594b908db4314789
-
SHA1
da28da4400078e612c19959002999b4beb5e1180
-
SHA256
eeef34eb0f890de8fe7f7a86a471acccdbee8e9d1668cdb0e022285a9910dfe8
-
SHA512
e590f0fbe9990d20bf6ec891ea30a582dc8cf58a6f97e9a4432049ab704977b042c80fdb0d239da7efa3b41ba201ac282b29998b4bcaf5e8fc6ed275d5dd14da
-
SSDEEP
12288:8WET/mr9KMBL1qNP+JUtMIeMYQyP/MmuxPLKKKOaK/ce:8WtbBLo2JUeIRDycTbq
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot6744817663:AAFJyzTv9CObDiCRjkgjtiOr-fMDQfjUcLk/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2016 set thread context of 1064 2016 tmp.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1064 tmp.exe 1064 tmp.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1064 tmp.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1064 tmp.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 2016 wrote to memory of 1064 2016 tmp.exe 28 PID 2016 wrote to memory of 1064 2016 tmp.exe 28 PID 2016 wrote to memory of 1064 2016 tmp.exe 28 PID 2016 wrote to memory of 1064 2016 tmp.exe 28 PID 2016 wrote to memory of 1064 2016 tmp.exe 28 PID 2016 wrote to memory of 1064 2016 tmp.exe 28 PID 2016 wrote to memory of 1064 2016 tmp.exe 28 PID 2016 wrote to memory of 1064 2016 tmp.exe 28 PID 2016 wrote to memory of 1064 2016 tmp.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1064
-