Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 01:38
Static task
static1
Behavioral task
behavioral1
Sample
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe
Resource
win10v2004-20240226-en
General
-
Target
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe
-
Size
166KB
-
MD5
ed1f4802fc687f24827dc818def3862c
-
SHA1
e4a066d81dd582f7dee2d523feac1612f1809649
-
SHA256
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d
-
SHA512
4720a25d5bb6de9b8cc8cf2ef2b11fb52e3ad9fabd25ebcec92ce055671dcbb0dd2882c95580449e6c4374a3d927a1d7c949d75db76772d02ce5465aad97a40d
-
SSDEEP
768:bQ0KFwpdwTXm/Rer+pg4pXDOTixnaLB0Kt4r:bQBGwTXmMrIDpXDO0nO0Kt4r
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
ABwuRZS5Mjh5 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fotbczlce = "C:\\Users\\Admin\\AppData\\Roaming\\Fotbczlce.exe" 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 api.ipify.org 11 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exedescription pid process target process PID 1684 set thread context of 3348 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 3180 ipconfig.exe 3460 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exepid process 3348 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 3348 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exedescription pid process Token: SeDebugPrivilege 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe Token: SeDebugPrivilege 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe Token: SeDebugPrivilege 3348 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.execmd.execmd.exedescription pid process target process PID 1684 wrote to memory of 3156 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 1684 wrote to memory of 3156 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 1684 wrote to memory of 3156 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 1684 wrote to memory of 3156 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 3156 wrote to memory of 3180 3156 cmd.exe ipconfig.exe PID 3156 wrote to memory of 3180 3156 cmd.exe ipconfig.exe PID 3156 wrote to memory of 3180 3156 cmd.exe ipconfig.exe PID 3156 wrote to memory of 3180 3156 cmd.exe ipconfig.exe PID 1684 wrote to memory of 3348 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe PID 1684 wrote to memory of 3348 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe PID 1684 wrote to memory of 3348 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe PID 1684 wrote to memory of 3348 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe PID 1684 wrote to memory of 3348 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe PID 1684 wrote to memory of 3348 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe PID 1684 wrote to memory of 3348 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe PID 1684 wrote to memory of 3348 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe PID 1684 wrote to memory of 3348 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe PID 1684 wrote to memory of 3428 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 1684 wrote to memory of 3428 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 1684 wrote to memory of 3428 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 1684 wrote to memory of 3428 1684 53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe cmd.exe PID 3428 wrote to memory of 3460 3428 cmd.exe ipconfig.exe PID 3428 wrote to memory of 3460 3428 cmd.exe ipconfig.exe PID 3428 wrote to memory of 3460 3428 cmd.exe ipconfig.exe PID 3428 wrote to memory of 3460 3428 cmd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe"C:\Users\Admin\AppData\Local\Temp\53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:3156 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:3180 -
C:\Users\Admin\AppData\Local\Temp\53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe"C:\Users\Admin\AppData\Local\Temp\53a5e299f9e221537cc2d8d12f5104e6c7c35c6816c5648e2f1807198bbdd37d.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3348 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:3428 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:3460