Analysis
-
max time kernel
119s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
21/05/2024, 03:43
Static task
static1
Behavioral task
behavioral1
Sample
FaturaBildirim.exe
Resource
win7-20240508-en
General
-
Target
FaturaBildirim.exe
-
Size
676KB
-
MD5
c7be962ea1dde7fb4ae315d7c69a7988
-
SHA1
a24475c78c57873d495f4bcb14b71246e050add6
-
SHA256
179e544a547fd06c8af3d0aa5160448c1acf22e0d0343832097788d916051570
-
SHA512
6546d783142c3b7db898d67dd74413c7bf675b8837bb07100849d2160d8a7773e6d843cb69f8c1ead1025a9a0e407b03573ff0e05ca1cb5fc5e18909861d8d26
-
SSDEEP
12288:olYifTSceFntlMDfhbnOn+jcfwi+jh7dMLB4M/qFHpEDepHz8M4H0GHhkR:nilItlIVe+ZiQB6/qFwEw8
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
zqamcx.com - Port:
587 - Username:
[email protected] - Password:
Methodman991 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2544 powershell.exe 3040 powershell.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 572 set thread context of 3020 572 FaturaBildirim.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2620 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 572 FaturaBildirim.exe 3020 FaturaBildirim.exe 3020 FaturaBildirim.exe 3040 powershell.exe 2544 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 572 FaturaBildirim.exe Token: SeDebugPrivilege 3020 FaturaBildirim.exe Token: SeDebugPrivilege 3040 powershell.exe Token: SeDebugPrivilege 2544 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3020 FaturaBildirim.exe -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 572 wrote to memory of 2544 572 FaturaBildirim.exe 28 PID 572 wrote to memory of 2544 572 FaturaBildirim.exe 28 PID 572 wrote to memory of 2544 572 FaturaBildirim.exe 28 PID 572 wrote to memory of 2544 572 FaturaBildirim.exe 28 PID 572 wrote to memory of 3040 572 FaturaBildirim.exe 30 PID 572 wrote to memory of 3040 572 FaturaBildirim.exe 30 PID 572 wrote to memory of 3040 572 FaturaBildirim.exe 30 PID 572 wrote to memory of 3040 572 FaturaBildirim.exe 30 PID 572 wrote to memory of 2620 572 FaturaBildirim.exe 32 PID 572 wrote to memory of 2620 572 FaturaBildirim.exe 32 PID 572 wrote to memory of 2620 572 FaturaBildirim.exe 32 PID 572 wrote to memory of 2620 572 FaturaBildirim.exe 32 PID 572 wrote to memory of 3020 572 FaturaBildirim.exe 34 PID 572 wrote to memory of 3020 572 FaturaBildirim.exe 34 PID 572 wrote to memory of 3020 572 FaturaBildirim.exe 34 PID 572 wrote to memory of 3020 572 FaturaBildirim.exe 34 PID 572 wrote to memory of 3020 572 FaturaBildirim.exe 34 PID 572 wrote to memory of 3020 572 FaturaBildirim.exe 34 PID 572 wrote to memory of 3020 572 FaturaBildirim.exe 34 PID 572 wrote to memory of 3020 572 FaturaBildirim.exe 34 PID 572 wrote to memory of 3020 572 FaturaBildirim.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\FaturaBildirim.exe"C:\Users\Admin\AppData\Local\Temp\FaturaBildirim.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\FaturaBildirim.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\apqOjuQgh.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\apqOjuQgh" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC83F.tmp"2⤵
- Creates scheduled task(s)
PID:2620
-
-
C:\Users\Admin\AppData\Local\Temp\FaturaBildirim.exe"C:\Users\Admin\AppData\Local\Temp\FaturaBildirim.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3020
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52fef2c721daef8cf595c071ee999ea1e
SHA15eaf5c737be56b1777703f85dcf4aa22386f1def
SHA256dc0b435466814ebda70aefc92d564b3a5fa19bb4a5b6de997c7edce7d9f6a084
SHA512b4d39a28ec76963f492bc540aa021745b11ff03333df128d095e2065dc3bda16d9f65846f21751f2e53ac67bbe6f56fdeaec5269faf160f2fde4903216144778
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KNMHTG8FRX9KFXM1S66S.temp
Filesize7KB
MD5a90325b2865d548c4f7b2588a6238c14
SHA1db88c6b90eea5b2222edbd1b2e560343bc6661d2
SHA256511b55a37bf9ad4537458948c6955b436cfea563d7ea13f4c6a28d58283ee4ab
SHA512c717540da150cf5746b7481d7afb195edf1fdf307a7a39db440ef7238a1eeada70b2acc2bdaf5228c52244596c480b0180cb3fb9ed5a132d6cf45b098727f6d4