Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 04:36
Static task
static1
Behavioral task
behavioral1
Sample
bank details.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
bank details.exe
Resource
win10v2004-20240508-en
General
-
Target
bank details.exe
-
Size
804KB
-
MD5
aef42942c28ddb020f9694c8b701873f
-
SHA1
b2f5168edc9b1b9bbdbcc8089ae24dc852ed0080
-
SHA256
255306dc51f8e03d60b15c31fcda56678224ff0e6781266a47aa71d5897429e7
-
SHA512
fcc62ed477853e90909f89612b2445afe4d90addc01fd90c2e4628d2dc4246649f37e07fac22bd958c8241004d39851a29dc4113da2b43f46e403a785225477c
-
SSDEEP
24576:ECTC3c6eWT56abnuA4y4pCmncHCHzs8j4gtY+VTqCo:Eyq56abnuNpCmncH81j4gtY+VTqp
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.tajhiz-gostaran.com - Port:
587 - Username:
[email protected] - Password:
Ohv@dRNG{N^grViQHl - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2564-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2564-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2564-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2564-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2564-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2564-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2564-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2564-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2564-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2564-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2564-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2564-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2564-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2564-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2564-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2564-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2564-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2564-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2564-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2564-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2564-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2564-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2564-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2564-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2564-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2564-25-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2564-30-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2564-29-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2564-28-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2564-23-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid Process 2744 powershell.exe 2628 powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\boqXv = "C:\\Users\\Admin\\AppData\\Roaming\\boqXv\\boqXv.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
bank details.exedescription pid Process procid_target PID 2988 set thread context of 2564 2988 bank details.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
bank details.exeRegSvcs.exepowershell.exepowershell.exepid Process 2988 bank details.exe 2988 bank details.exe 2988 bank details.exe 2988 bank details.exe 2988 bank details.exe 2988 bank details.exe 2988 bank details.exe 2564 RegSvcs.exe 2564 RegSvcs.exe 2744 powershell.exe 2628 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
bank details.exeRegSvcs.exepowershell.exepowershell.exedescription pid Process Token: SeDebugPrivilege 2988 bank details.exe Token: SeDebugPrivilege 2564 RegSvcs.exe Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 2628 powershell.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
bank details.exedescription pid Process procid_target PID 2988 wrote to memory of 2744 2988 bank details.exe 28 PID 2988 wrote to memory of 2744 2988 bank details.exe 28 PID 2988 wrote to memory of 2744 2988 bank details.exe 28 PID 2988 wrote to memory of 2744 2988 bank details.exe 28 PID 2988 wrote to memory of 2628 2988 bank details.exe 30 PID 2988 wrote to memory of 2628 2988 bank details.exe 30 PID 2988 wrote to memory of 2628 2988 bank details.exe 30 PID 2988 wrote to memory of 2628 2988 bank details.exe 30 PID 2988 wrote to memory of 2772 2988 bank details.exe 31 PID 2988 wrote to memory of 2772 2988 bank details.exe 31 PID 2988 wrote to memory of 2772 2988 bank details.exe 31 PID 2988 wrote to memory of 2772 2988 bank details.exe 31 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34 PID 2988 wrote to memory of 2564 2988 bank details.exe 34
Processes
-
C:\Users\Admin\AppData\Local\Temp\bank details.exe"C:\Users\Admin\AppData\Local\Temp\bank details.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\bank details.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hssWuq.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hssWuq" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6F47.tmp"2⤵
- Creates scheduled task(s)
PID:2772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2564
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57c4a21321a153d24c4840116eef6b5ed
SHA1b41d59e061c09cc2efab07fea8ef39f5f6927f18
SHA2567c3a7b353ffccd139ca8f997e4b0e4c4fbf635274ae04fa7d0c32e710c1860db
SHA51246f79a438d3cc045d40d1fa430e46b373013c9beca2e688ba2ef22cbdae2c08465eeae84217ed25ba233861ecbfb845aefdc1211b1141fdbd3caba82b03b3efc
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5aefbb6ac59acb9809cf314e7506643c7
SHA15aa12346548504ac4ec02eefe53144391fc8645e
SHA256a8e79f6c24d6e2b2bd6cdf086accee3769f6332ec465af19880cba45d457fecd
SHA512816ba87e2ee29d8dbf79fabd70b92332e1eb1317ee568db4e011d6d364567848c15fcf968bf8078204e8b0e6f7000e6a6c1a6ee7b7f2872e541db8585892a144