Analysis
-
max time kernel
51s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 01:50
Static task
static1
Behavioral task
behavioral1
Sample
70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe
Resource
win10v2004-20240508-en
General
-
Target
70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe
-
Size
1.1MB
-
MD5
062050b56fc306bbab4d17e72eea5c34
-
SHA1
8edbcc1dc7da0fab002d356d2a28b2350bcad025
-
SHA256
70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204
-
SHA512
82374a724a6747d8469e2bb5f38da963837ae020323a454ee4a9e8de6af4e00d4b9e3c4aa70dd8662de432e505dfdcf916ed2a0e06db471770f37ba59e63cffd
-
SSDEEP
24576:2qDEvCTbMWu7rQYlBQcBiT6rprG8ax3CrtGkb:2TvC/MTQYxsWR7aRa7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.jaszredony.hu - Port:
587 - Username:
[email protected] - Password:
jRedony77 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Drops startup file 1 IoCs
Processes:
name.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe -
Executes dropped EXE 1 IoCs
Processes:
name.exepid process 2788 name.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\newfile = "C:\\Users\\Admin\\AppData\\Roaming\\newfile\\newfile.exe" RegSvcs.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\directory\name.exe autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
name.exedescription pid process target process PID 2788 set thread context of 3160 2788 name.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3160 RegSvcs.exe 3160 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
name.exepid process 2788 name.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3160 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exename.exepid process 2128 70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe 2128 70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe 2788 name.exe 2788 name.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exename.exepid process 2128 70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe 2128 70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe 2788 name.exe 2788 name.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exename.exedescription pid process target process PID 2128 wrote to memory of 2788 2128 70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe name.exe PID 2128 wrote to memory of 2788 2128 70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe name.exe PID 2128 wrote to memory of 2788 2128 70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe name.exe PID 2788 wrote to memory of 3160 2788 name.exe RegSvcs.exe PID 2788 wrote to memory of 3160 2788 name.exe RegSvcs.exe PID 2788 wrote to memory of 3160 2788 name.exe RegSvcs.exe PID 2788 wrote to memory of 3160 2788 name.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe"C:\Users\Admin\AppData\Local\Temp\70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2128 -
C:\Users\Admin\AppData\Local\directory\name.exe"C:\Users\Admin\AppData\Local\Temp\70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\70f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204.exe"3⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
239KB
MD5cc13866010326b0f575551964d056153
SHA1d1146815c895a8b849a14d76059dc9e2f3d09bf4
SHA256ef9b579ae3e1fb5ba1e073671ea3541218cd4180e16f400045fc26e5164053d5
SHA5129912f9aaa2d069eb99f98e6640cbb350ce0c1d42513b74bae8311bfb3ca20cfab9e43e960556ab315e55450550c8fc0511f730c26ad32a94eb46ed981cb6626f
-
Filesize
28KB
MD56fbd887e44f80e417c469447106c73cb
SHA1bb3f178c7f0d177420878facc57392379f6fa194
SHA25695dd4b38e506da061f9d503f0855c052fad34a435ea92696220dc0ff256556ad
SHA512a865b7382d9b123244a5dd4ad395f7dffedc6c42ad16407aedb22d6b75beb344ed2a0958149d845bb53699856e9aff2361a2d8c40bfcfc2a2b9fa7cb74a4bda9
-
Filesize
1.1MB
MD5062050b56fc306bbab4d17e72eea5c34
SHA18edbcc1dc7da0fab002d356d2a28b2350bcad025
SHA25670f006e7422395770cd6655c6f4211864d422d4f447e54cc26b67c505bbd7204
SHA51282374a724a6747d8469e2bb5f38da963837ae020323a454ee4a9e8de6af4e00d4b9e3c4aa70dd8662de432e505dfdcf916ed2a0e06db471770f37ba59e63cffd