Analysis
-
max time kernel
118s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe
Resource
win10v2004-20240426-en
General
-
Target
f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe
-
Size
1.0MB
-
MD5
85f70dc6f29796d7d80aa3e290759058
-
SHA1
7740df3b8105557f43347bbc0d0ba6bd42bf1eef
-
SHA256
f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde
-
SHA512
a502868f4c14cd57ba95bcf66389ab352408f8f7dda1500e495f13b08e6d3ddea88a41044b3933cc0fa3c2fbd0b67d54570b4f087803b194a0974d0057d684c3
-
SSDEEP
24576:AAHnh+eWsN3skA4RV1Hom2KXMmHatfXP8UDdZu5:3h+ZkldoPK8Yat38UD8
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.antoniomayol.com:21 - Port:
21 - Username:
[email protected] - Password:
cMhKDQUk1{;%
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 1 IoCs
Processes:
obtenebrate.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\obtenebrate.vbs obtenebrate.exe -
Executes dropped EXE 1 IoCs
Processes:
obtenebrate.exepid Process 1964 obtenebrate.exe -
Loads dropped DLL 1 IoCs
Processes:
f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exepid Process 3008 f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral1/files/0x0008000000015d72-12.dat autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
obtenebrate.exedescription pid Process procid_target PID 1964 set thread context of 2632 1964 obtenebrate.exe 29 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid Process 2632 RegSvcs.exe 2632 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
obtenebrate.exepid Process 1964 obtenebrate.exe 1964 obtenebrate.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid Process Token: SeDebugPrivilege 2632 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exeobtenebrate.exepid Process 3008 f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe 3008 f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe 1964 obtenebrate.exe 1964 obtenebrate.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exeobtenebrate.exepid Process 3008 f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe 3008 f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe 1964 obtenebrate.exe 1964 obtenebrate.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exeobtenebrate.exedescription pid Process procid_target PID 3008 wrote to memory of 1964 3008 f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe 28 PID 3008 wrote to memory of 1964 3008 f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe 28 PID 3008 wrote to memory of 1964 3008 f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe 28 PID 3008 wrote to memory of 1964 3008 f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe 28 PID 1964 wrote to memory of 2632 1964 obtenebrate.exe 29 PID 1964 wrote to memory of 2632 1964 obtenebrate.exe 29 PID 1964 wrote to memory of 2632 1964 obtenebrate.exe 29 PID 1964 wrote to memory of 2632 1964 obtenebrate.exe 29 PID 1964 wrote to memory of 2632 1964 obtenebrate.exe 29 PID 1964 wrote to memory of 2632 1964 obtenebrate.exe 29 PID 1964 wrote to memory of 2632 1964 obtenebrate.exe 29 PID 1964 wrote to memory of 2632 1964 obtenebrate.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe"C:\Users\Admin\AppData\Local\Temp\f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\quinquennia\obtenebrate.exe"C:\Users\Admin\AppData\Local\Temp\f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239KB
MD5254ae003eb522aa351a5169d5981814e
SHA11c6fbb5bc853b427a4ca25b6f42e7cc6159f2902
SHA256d07aa87ea35cd5c423e64d2d243a71c4b811431d2a172db549d22d21fcd18002
SHA512d8bcd0a188926be1f7b17c487d1548a1efb3acdd09107ab59c36ddeba194c5025e681c861323067e79d6f4228dbd4c4f4fee953589570e7bec0bd932fe9ab3fe
-
Filesize
28KB
MD5a77290f7366f589e1c7c6e6e348d6ad0
SHA1f6f3ad8e761919fefdd9524e35489c463ce00bcc
SHA2567ef623ce4f9abc5816b8f697f32befbf2d46dd68fe882aa106da9f64dbbdce13
SHA512d9eacb91df819dc43c9e2b9dad44e5ef63b898a82ab482533e8bf84d44de2d42595c8720582d5ca0995989edfc5ac09f436ada395811d4a02cc700f517e6845d
-
Filesize
1.0MB
MD585f70dc6f29796d7d80aa3e290759058
SHA17740df3b8105557f43347bbc0d0ba6bd42bf1eef
SHA256f42992d8268aa34512b20268ae4ea7a11609e9467f35b6cd5eebadbea0125bde
SHA512a502868f4c14cd57ba95bcf66389ab352408f8f7dda1500e495f13b08e6d3ddea88a41044b3933cc0fa3c2fbd0b67d54570b4f087803b194a0974d0057d684c3