Analysis
-
max time kernel
120s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 05:33
Static task
static1
Behavioral task
behavioral1
Sample
Pre Alert & Debit Note PO20766/Pre Alert & Debit Note PO20766.xlsx.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Pre Alert & Debit Note PO20766/Pre Alert & Debit Note PO20766.xlsx.exe
Resource
win10v2004-20240426-en
General
-
Target
Pre Alert & Debit Note PO20766/Pre Alert & Debit Note PO20766.xlsx.exe
-
Size
390KB
-
MD5
9ad1097ef6d23a86d4b9327e54fdc9bc
-
SHA1
517d09c1d755f08f3c5bf073d87185a801b68907
-
SHA256
df9e1f7fa8d1badaa7afd42cc3aac4ef5aad3a9973ee71059599325284566e67
-
SHA512
1ea9293a6931e191b1c63537fc5ea003e8ae98d53242a711769052bf9ba1976def2bb5f7894f85a0da087c0a4354a68474268da77d8438cfbb0a04299df7c955
-
SSDEEP
6144:nG8/Pl5W2KYbjOrq1NijSchoiEC8IjhJwJpNhCF5qGI3f2nwf0F4eQhrt/bcnAI:n2rgijP7EHEsvNhC7IfBbhrt4T
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://s4.serv00.com - Port:
21 - Username:
f2241_dol - Password:
Doll900#@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\adobe = "C:\\Users\\Admin\\AppData\\Roaming\\adobe\\adobe.exe" Pre Alert & Debit Note PO20766.xlsx.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exedescription pid Process procid_target PID 1704 set thread context of 2984 1704 Pre Alert & Debit Note PO20766.xlsx.exe 28 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exepid Process 2984 Pre Alert & Debit Note PO20766.xlsx.exe 2984 Pre Alert & Debit Note PO20766.xlsx.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exedescription pid Process Token: SeDebugPrivilege 2984 Pre Alert & Debit Note PO20766.xlsx.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exepid Process 2984 Pre Alert & Debit Note PO20766.xlsx.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Pre Alert & Debit Note PO20766.xlsx.exedescription pid Process procid_target PID 1704 wrote to memory of 2984 1704 Pre Alert & Debit Note PO20766.xlsx.exe 28 PID 1704 wrote to memory of 2984 1704 Pre Alert & Debit Note PO20766.xlsx.exe 28 PID 1704 wrote to memory of 2984 1704 Pre Alert & Debit Note PO20766.xlsx.exe 28 PID 1704 wrote to memory of 2984 1704 Pre Alert & Debit Note PO20766.xlsx.exe 28 PID 1704 wrote to memory of 2984 1704 Pre Alert & Debit Note PO20766.xlsx.exe 28 PID 1704 wrote to memory of 2984 1704 Pre Alert & Debit Note PO20766.xlsx.exe 28 PID 1704 wrote to memory of 2984 1704 Pre Alert & Debit Note PO20766.xlsx.exe 28 PID 1704 wrote to memory of 2984 1704 Pre Alert & Debit Note PO20766.xlsx.exe 28 PID 1704 wrote to memory of 2984 1704 Pre Alert & Debit Note PO20766.xlsx.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\Pre Alert & Debit Note PO20766\Pre Alert & Debit Note PO20766.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\Pre Alert & Debit Note PO20766\Pre Alert & Debit Note PO20766.xlsx.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Users\Admin\AppData\Local\Temp\Pre Alert & Debit Note PO20766\Pre Alert & Debit Note PO20766.xlsx.exe"C:\Users\Admin\AppData\Local\Temp\Pre Alert & Debit Note PO20766\Pre Alert & Debit Note PO20766.xlsx.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2984
-