Analysis
-
max time kernel
120s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-06-2024 01:42
Static task
static1
Behavioral task
behavioral1
Sample
8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe
Resource
win10v2004-20240426-en
General
-
Target
8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe
-
Size
700KB
-
MD5
13c5a61000759346402f0b34ba90d241
-
SHA1
cbdf3f73b57907e1eb86d6e622f83de958dde709
-
SHA256
8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9
-
SHA512
52e688c77a21adc59723b38d9b38a9be137290528359c3d1767d2ce961a8c74e8ca4e5ab5697d32cf284631f1926c183f1d00d26811100253c9383340bf0feb1
-
SSDEEP
12288:VlYfarHpUixrVzCKvwAgvcqtwgKSr35cYu6dCOb4lH:/MaTzPdm0qelQ35K6UHlH
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7098846156:AAEjEB6oInXMIjueYEkuPxnI5YrdoTBJpKo/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exedescription pid Process procid_target PID 2348 set thread context of 2612 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AddInProcess32.exepid Process 2612 AddInProcess32.exe 2612 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exeAddInProcess32.exedescription pid Process Token: SeDebugPrivilege 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe Token: SeDebugPrivilege 2612 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exedescription pid Process procid_target PID 2348 wrote to memory of 2612 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 28 PID 2348 wrote to memory of 2612 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 28 PID 2348 wrote to memory of 2612 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 28 PID 2348 wrote to memory of 2612 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 28 PID 2348 wrote to memory of 2612 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 28 PID 2348 wrote to memory of 2612 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 28 PID 2348 wrote to memory of 2612 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 28 PID 2348 wrote to memory of 2612 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 28 PID 2348 wrote to memory of 2612 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 28 PID 2348 wrote to memory of 2652 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 29 PID 2348 wrote to memory of 2652 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 29 PID 2348 wrote to memory of 2652 2348 8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe"C:\Users\Admin\AppData\Local\Temp\8474072e7cb3c37bb710635e6c11035b55591c60f9a5f30112b4b20a5cf2e1b9.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2612
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2348 -s 6562⤵PID:2652
-