Analysis
-
max time kernel
149s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:51
Static task
static1
Behavioral task
behavioral1
Sample
quotationsheet.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
quotationsheet.exe
Resource
win10v2004-20240426-en
General
-
Target
quotationsheet.exe
-
Size
703KB
-
MD5
d1e338f0c608088b7b5aa2e20c3df8ca
-
SHA1
e27a61a67b4c103595135df9567cac7152d93765
-
SHA256
d3b852f73cf956335e5cd16bcf94d255065c04b13dc9efb34fe52fdfe6ffed2d
-
SHA512
2664e688950b24991784c62c7e898f23d4d95b8847122add721ce1e88030b84456c54394ea23488d840009a74032d799db004af9ffe9e352f5abb02061ca9b97
-
SSDEEP
12288:nbhdAAU3oYkb4oGrX52fAXAxySliLh4oIhoBIBAjdHU5TCsnX+phDqM9FDv:nHAZo1FiJWAQGLCoIK6AFiGsO7D9v
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7225809616:AAEt7H1sHiGor6_FJDBNVWoXF_3jTIBVboA/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
quotationsheet.exedescription pid process target process PID 4080 set thread context of 3684 4080 quotationsheet.exe installutil.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
installutil.exepid process 3684 installutil.exe 3684 installutil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
quotationsheet.exeinstallutil.exedescription pid process Token: SeDebugPrivilege 4080 quotationsheet.exe Token: SeDebugPrivilege 3684 installutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
installutil.exepid process 3684 installutil.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
quotationsheet.exedescription pid process target process PID 4080 wrote to memory of 2860 4080 quotationsheet.exe regsvcs.exe PID 4080 wrote to memory of 2860 4080 quotationsheet.exe regsvcs.exe PID 4080 wrote to memory of 2860 4080 quotationsheet.exe regsvcs.exe PID 4080 wrote to memory of 1796 4080 quotationsheet.exe jsc.exe PID 4080 wrote to memory of 1796 4080 quotationsheet.exe jsc.exe PID 4080 wrote to memory of 1796 4080 quotationsheet.exe jsc.exe PID 4080 wrote to memory of 3684 4080 quotationsheet.exe installutil.exe PID 4080 wrote to memory of 3684 4080 quotationsheet.exe installutil.exe PID 4080 wrote to memory of 3684 4080 quotationsheet.exe installutil.exe PID 4080 wrote to memory of 3684 4080 quotationsheet.exe installutil.exe PID 4080 wrote to memory of 3684 4080 quotationsheet.exe installutil.exe PID 4080 wrote to memory of 3684 4080 quotationsheet.exe installutil.exe PID 4080 wrote to memory of 3684 4080 quotationsheet.exe installutil.exe PID 4080 wrote to memory of 3684 4080 quotationsheet.exe installutil.exe PID 4080 wrote to memory of 4456 4080 quotationsheet.exe installutil.exe PID 4080 wrote to memory of 4456 4080 quotationsheet.exe installutil.exe PID 4080 wrote to memory of 4456 4080 quotationsheet.exe installutil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\quotationsheet.exe"C:\Users\Admin\AppData\Local\Temp\quotationsheet.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵PID:2860
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵PID:1796
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3684 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"2⤵PID:4456