Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 09:13
Static task
static1
Behavioral task
behavioral1
Sample
JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr
Resource
win10v2004-20240426-en
General
-
Target
JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr
-
Size
844KB
-
MD5
d1473af035ad29a5106b6e0c86136c62
-
SHA1
d8aa3f840097d53cb03d35020e1ec904aa779b6c
-
SHA256
09e3dca360715fc66070377bbf9ac07c8af08b6f5bc11a8e9de381368b21a32d
-
SHA512
ab1c50459147d77ab5359d1899d7107c698e712cc6e6cd6371236a4a59ad04d755c563e8d58e9ef3e92ebbb7b575da798af1c2e16becb6040e141d7503820ed9
-
SSDEEP
24576:JMYeNVDN5i/7oYEADXg/7w6y5frNhSXiRIVqf:JMYePN5i/7vEWwjwNfrrSXwIVq
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://beirutrest.com - Port:
21 - Username:
[email protected] - Password:
9yXQ39wz(uL+
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scrdescription pid process target process PID 2340 set thread context of 2596 2340 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scrpid process 2596 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr 2596 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scrdescription pid process Token: SeDebugPrivilege 2596 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scrdescription pid process target process PID 2340 wrote to memory of 2596 2340 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr PID 2340 wrote to memory of 2596 2340 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr PID 2340 wrote to memory of 2596 2340 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr PID 2340 wrote to memory of 2596 2340 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr PID 2340 wrote to memory of 2596 2340 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr PID 2340 wrote to memory of 2596 2340 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr PID 2340 wrote to memory of 2596 2340 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr PID 2340 wrote to memory of 2596 2340 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr PID 2340 wrote to memory of 2596 2340 JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr
Processes
-
C:\Users\Admin\AppData\Local\Temp\JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr"C:\Users\Admin\AppData\Local\Temp\JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr" /S1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Users\Admin\AppData\Local\Temp\JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr"C:\Users\Admin\AppData\Local\Temp\JS ONSAN-VESSEL_DETAILS(1)(1).xlsx.scr"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2596
-