Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-06-2024 04:45
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe
-
Size
3.4MB
-
MD5
54d358a72bb5b80aed97c5f955b653e8
-
SHA1
f275c0f42c4b2591209c569b02999ea3583bcd26
-
SHA256
5773ec42fc5cc2b51b550f91d98ed11c0f41789ef602ae04ffb4986682e627d0
-
SHA512
35c559e92db11a5a76d221a155696ecb3c97fe09c70c8fab0424fdce5d7ea5087ac21c5a5f446baf1e74f91c7b7a47454929d08ce2a2f62ed1d1ea50f2c9075f
-
SSDEEP
49152:h8yJAk206NICMq5pzKRgqVzKRvgFuGCFmnDuoTO:2BsmAy
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
business29.web-hosting.com - Port:
587 - Username:
[email protected] - Password:
Mas_#()@?"obo""" - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2476-4-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral1/memory/2476-3-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2476-4-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral1/memory/2476-3-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2476-4-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral1/memory/2476-3-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2476-4-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral1/memory/2476-3-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2476-4-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral1/memory/2476-3-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2476-0-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2476-4-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral1/memory/2476-3-0x0000000000400000-0x0000000000442000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exedescription pid Process procid_target PID 1732 set thread context of 2476 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 30 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
jsc.exepid Process 2476 jsc.exe 2476 jsc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
jsc.exedescription pid Process Token: SeDebugPrivilege 2476 jsc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exedescription pid Process procid_target PID 1732 wrote to memory of 3024 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 29 PID 1732 wrote to memory of 3024 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 29 PID 1732 wrote to memory of 3024 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 29 PID 1732 wrote to memory of 3024 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 29 PID 1732 wrote to memory of 3024 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 29 PID 1732 wrote to memory of 2476 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 30 PID 1732 wrote to memory of 2476 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 30 PID 1732 wrote to memory of 2476 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 30 PID 1732 wrote to memory of 2476 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 30 PID 1732 wrote to memory of 2476 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 30 PID 1732 wrote to memory of 2476 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 30 PID 1732 wrote to memory of 2476 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 30 PID 1732 wrote to memory of 2476 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 30 PID 1732 wrote to memory of 2476 1732 2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-10_54d358a72bb5b80aed97c5f955b653e8_megazord.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:3024
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-