Analysis
-
max time kernel
118s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03-06-2024 09:51
Static task
static1
Behavioral task
behavioral1
Sample
quotationsheet.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
quotationsheet.exe
Resource
win10v2004-20240426-en
General
-
Target
quotationsheet.exe
-
Size
703KB
-
MD5
d1e338f0c608088b7b5aa2e20c3df8ca
-
SHA1
e27a61a67b4c103595135df9567cac7152d93765
-
SHA256
d3b852f73cf956335e5cd16bcf94d255065c04b13dc9efb34fe52fdfe6ffed2d
-
SHA512
2664e688950b24991784c62c7e898f23d4d95b8847122add721ce1e88030b84456c54394ea23488d840009a74032d799db004af9ffe9e352f5abb02061ca9b97
-
SSDEEP
12288:nbhdAAU3oYkb4oGrX52fAXAxySliLh4oIhoBIBAjdHU5TCsnX+phDqM9FDv:nHAZo1FiJWAQGLCoIK6AFiGsO7D9v
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7225809616:AAEt7H1sHiGor6_FJDBNVWoXF_3jTIBVboA/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
quotationsheet.exedescription pid process target process PID 3000 set thread context of 2568 3000 quotationsheet.exe CasPol.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CasPol.exepid process 2568 CasPol.exe 2568 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
quotationsheet.exeCasPol.exedescription pid process Token: SeDebugPrivilege 3000 quotationsheet.exe Token: SeDebugPrivilege 2568 CasPol.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
CasPol.exepid process 2568 CasPol.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
quotationsheet.exedescription pid process target process PID 3000 wrote to memory of 2992 3000 quotationsheet.exe msbuild.exe PID 3000 wrote to memory of 2992 3000 quotationsheet.exe msbuild.exe PID 3000 wrote to memory of 2992 3000 quotationsheet.exe msbuild.exe PID 3000 wrote to memory of 2992 3000 quotationsheet.exe msbuild.exe PID 3000 wrote to memory of 2992 3000 quotationsheet.exe msbuild.exe PID 3000 wrote to memory of 2992 3000 quotationsheet.exe msbuild.exe PID 3000 wrote to memory of 2992 3000 quotationsheet.exe msbuild.exe PID 3000 wrote to memory of 2992 3000 quotationsheet.exe msbuild.exe PID 3000 wrote to memory of 1208 3000 quotationsheet.exe jsc.exe PID 3000 wrote to memory of 1208 3000 quotationsheet.exe jsc.exe PID 3000 wrote to memory of 1208 3000 quotationsheet.exe jsc.exe PID 3000 wrote to memory of 1208 3000 quotationsheet.exe jsc.exe PID 3000 wrote to memory of 2568 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2568 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2568 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2568 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2568 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2568 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2568 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2568 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2568 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2744 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2744 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2744 3000 quotationsheet.exe CasPol.exe PID 3000 wrote to memory of 2744 3000 quotationsheet.exe CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\quotationsheet.exe"C:\Users\Admin\AppData\Local\Temp\quotationsheet.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3000 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵PID:2992
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵PID:1208
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2568 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:2744