Analysis
-
max time kernel
142s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-06-2024 09:51
Static task
static1
Behavioral task
behavioral1
Sample
PO76389.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
PO76389.exe
Resource
win10v2004-20240226-en
General
-
Target
PO76389.exe
-
Size
851KB
-
MD5
b78a41cfedbd72be9cda0c2e8b456b9b
-
SHA1
842a457a15cd9b35c930e86aa3adca801231c0c9
-
SHA256
b43813d1e597a0633fc8693d5921688a8b189cfdc6c74fda22e42c2aefa3270c
-
SHA512
2511b4647e030b02b3441fdf17259fa49547dead3c3b19d4a8bd04b1825d5bbe464d00cee273bd35f06a14bb66c135453e8d381bdf2b8c0fc2d5e5ba5edaecee
-
SSDEEP
12288:PMYeaky/Qa0KP1x+kPwu9JaGYd89Lt/rFfaolj2YqEvlw7KZNy6XXSJFY/SYwkiN:PMYej0N5iYKR6XXSvY/STixHu9Iif
Malware Config
Extracted
Protocol: smtp- Host:
mail.psgrasa.ir - Port:
587 - Username:
[email protected] - Password:
mahsa730101
Extracted
agenttesla
Protocol: smtp- Host:
mail.psgrasa.ir - Port:
587 - Username:
[email protected] - Password:
mahsa730101 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
PO76389.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\YxAesh = "C:\\Users\\Admin\\AppData\\Roaming\\YxAesh\\YxAesh.exe" PO76389.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 29 api.ipify.org 30 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO76389.exedescription pid process target process PID 3012 set thread context of 2968 3012 PO76389.exe PO76389.exe -
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
PO76389.exePO76389.exepid process 3012 PO76389.exe 3012 PO76389.exe 3012 PO76389.exe 3012 PO76389.exe 3012 PO76389.exe 3012 PO76389.exe 2968 PO76389.exe 2968 PO76389.exe 2968 PO76389.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
PO76389.exePO76389.exedescription pid process Token: SeDebugPrivilege 3012 PO76389.exe Token: SeDebugPrivilege 2968 PO76389.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
PO76389.exepid process 2968 PO76389.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
PO76389.exedescription pid process target process PID 3012 wrote to memory of 1624 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 1624 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 1624 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 3156 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 3156 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 3156 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2096 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2096 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2096 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2968 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2968 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2968 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2968 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2968 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2968 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2968 3012 PO76389.exe PO76389.exe PID 3012 wrote to memory of 2968 3012 PO76389.exe PO76389.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO76389.exe"C:\Users\Admin\AppData\Local\Temp\PO76389.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Users\Admin\AppData\Local\Temp\PO76389.exe"C:\Users\Admin\AppData\Local\Temp\PO76389.exe"2⤵PID:1624
-
C:\Users\Admin\AppData\Local\Temp\PO76389.exe"C:\Users\Admin\AppData\Local\Temp\PO76389.exe"2⤵PID:3156
-
C:\Users\Admin\AppData\Local\Temp\PO76389.exe"C:\Users\Admin\AppData\Local\Temp\PO76389.exe"2⤵PID:2096
-
C:\Users\Admin\AppData\Local\Temp\PO76389.exe"C:\Users\Admin\AppData\Local\Temp\PO76389.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2968
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3612 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:4156
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5b7b9acb869ccc7f7ecb5304ec0384dee
SHA16a90751c95817903ee833d59a0abbef425a613b3
SHA2568cb00a15cd942a1861c573d86d6fb430512c8e2f80f6349f48b16b8709ca7aa4
SHA5127bec881ac5f59ac26f1be1e7e26d63f040c06369de10c1c246e531a4395d27c335d9acc647ecdedb48ed37bdc2dc405a4cfc11762e1c00659a49be259eaf8764