Analysis
-
max time kernel
96s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:50
Static task
static1
Behavioral task
behavioral1
Sample
Additional Agreement5432.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
Additional Agreement5432.exe
Resource
win10v2004-20240426-en
General
-
Target
Additional Agreement5432.exe
-
Size
1.0MB
-
MD5
c31af689c2a98a34e4372db20e0468e0
-
SHA1
a00007373d00cd7519d5c3520743d2fc7d7c05d6
-
SHA256
589a2ca9b2c36da41ee6d7366e35c943f6c6165719e6e699c6b9dccedb4a6503
-
SHA512
2bd225c396f07c0395fefd1ba14c1e53fa6311b54a097934bb19ee6a17236b24c120ba6314fffefdd5660e82a2a377bb986ea5541acb5dc19072ee7383725363
-
SSDEEP
24576:jAHnh+eWsN3skA4RV1Hom2KXMmHawhJDLYbQeDtC6LZG5:uh+ZkldoPK8Yaw3s5DY6LS
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
s30.securelayernetwork.com - Port:
587 - Username:
[email protected] - Password:
%lmb-a,[(1ty - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SzvWIzD = "C:\\Users\\Admin\\AppData\\Roaming\\SzvWIzD\\SzvWIzD.exe" RegSvcs.exe -
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 api.ipify.org 15 api.ipify.org 22 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Additional Agreement5432.exedescription pid process target process PID 2132 set thread context of 628 2132 Additional Agreement5432.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 628 RegSvcs.exe 628 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
Additional Agreement5432.exepid process 2132 Additional Agreement5432.exe 2132 Additional Agreement5432.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 628 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
Additional Agreement5432.exepid process 2132 Additional Agreement5432.exe 2132 Additional Agreement5432.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
Additional Agreement5432.exepid process 2132 Additional Agreement5432.exe 2132 Additional Agreement5432.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Additional Agreement5432.exedescription pid process target process PID 2132 wrote to memory of 628 2132 Additional Agreement5432.exe RegSvcs.exe PID 2132 wrote to memory of 628 2132 Additional Agreement5432.exe RegSvcs.exe PID 2132 wrote to memory of 628 2132 Additional Agreement5432.exe RegSvcs.exe PID 2132 wrote to memory of 628 2132 Additional Agreement5432.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Additional Agreement5432.exe"C:\Users\Admin\AppData\Local\Temp\Additional Agreement5432.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Additional Agreement5432.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:628