Analysis
-
max time kernel
151s -
max time network
158s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 01:46
Behavioral task
behavioral1
Sample
3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exe
Resource
win10v2004-20240226-en
General
-
Target
3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exe
-
Size
245KB
-
MD5
1a0560f13b44ddf5f184133acf4a45d5
-
SHA1
2950616500d9b6f6b131b65b913b4483be8fa0db
-
SHA256
3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e
-
SHA512
52130d758e3ab71c53985ceea24d2055b001367e5de9fb3e9d308df971b6be915023a951249f89db9035b24485ea63cea17923999c8fceda48c1d7d6d9958e7c
-
SSDEEP
3072:LybzvbfzheJeHB6p2Smetl4+Hr5qDUPyZT:mzvbfzheJeHBCm4l4+H6UqZ
Malware Config
Extracted
Protocol: smtp- Host:
mail.softtricksmedia.com - Port:
587 - Username:
[email protected] - Password:
soft#!7som7
Extracted
agenttesla
Protocol: smtp- Host:
mail.softtricksmedia.com - Port:
587 - Username:
[email protected] - Password:
soft#!7som7 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OHGzVK = "C:\\Users\\Admin\\AppData\\Roaming\\OHGzVK\\OHGzVK.exe" 3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exepid process 2920 3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exe 2920 3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exe 2920 3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exedescription pid process Token: SeDebugPrivilege 2920 3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exe"C:\Users\Admin\AppData\Local\Temp\3bbb2a13c8bf4cb9ad75f237b66466f32b58d9b04f3bf81cf169f7efb464417e.exe"1⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:81⤵PID:4848