Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 01:05
Behavioral task
behavioral1
Sample
41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32.exe
Resource
win10v2004-20240226-en
General
-
Target
41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32.exe
-
Size
241KB
-
MD5
06958a957a651fba0ec57b11d6f7e804
-
SHA1
0f2acb54e0069ceb34555f483080440e1fa38a27
-
SHA256
41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32
-
SHA512
d38db4be16370a6c044aac9cfa0c173e360c28892e1e0e2cd98d511451155bcbb480484b753a5efa6be339957ad2eeb49b6f09cb3822bae9681e5057d81961e7
-
SSDEEP
3072:X04y6+6GKGcZJ21A9bXBJVzcwJq8Dgj54CcXZ8wepBt3:XK6+6GKGcZJh9lJGwk8DgoXZ8p
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7065054355:AAGvKozyIFTruitkksV45RlLGqriLqyMLhs/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org 6 ip-api.com -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32.exepid Process 2040 41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32.exe 2040 41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32.exedescription pid Process Token: SeDebugPrivilege 2040 41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32.exe"C:\Users\Admin\AppData\Local\Temp\41314bf57541a2a16c6c44442048e4ead8b7e32b562a75b5635ceae793403f32.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040