Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
24-05-2024 02:13
Behavioral task
behavioral1
Sample
30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe
Resource
win10v2004-20240508-en
General
-
Target
30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe
-
Size
164KB
-
MD5
0c09f22632b14a1d246352824a1f61dc
-
SHA1
7aa656ea3a49390c20c8bf63e771a40ef11d55bc
-
SHA256
30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d
-
SHA512
ec9bf229c38e266d55781a52f2701ecd20f6920d2f710df8646b0b7033b87f516d12657d3fca48bdcc32ef06d491fc96377a75b8dc38c8a60b7cdf7c19ff1f48
-
SSDEEP
3072:MF/5/266+2eVhEB4Hf1wIP98XzbwoByKLcS/yEMz4D/:MF/5/266lB4NPuXf+KiEMz
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot5806691582:AAH6u3QmlmdvCPddcnWF_1vIYT8ymbk2K8M/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exepid process 2264 30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe 2264 30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exedescription pid process Token: SeDebugPrivilege 2264 30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe -
outlook_office_path 1 IoCs
Processes:
30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe -
outlook_win_path 1 IoCs
Processes:
30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe"C:\Users\Admin\AppData\Local\Temp\30f64281ea204827b9b7e4ff12a9a7df2463ee0543c258d15b71aeedca30d62d.exe"1⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2264-0-0x0000000073EEE000-0x0000000073EEF000-memory.dmpFilesize
4KB
-
memory/2264-1-0x0000000000A30000-0x0000000000A60000-memory.dmpFilesize
192KB
-
memory/2264-2-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB
-
memory/2264-3-0x0000000073EEE000-0x0000000073EEF000-memory.dmpFilesize
4KB
-
memory/2264-4-0x0000000073EE0000-0x00000000745CE000-memory.dmpFilesize
6.9MB