Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 01:55
Static task
static1
Behavioral task
behavioral1
Sample
75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe
Resource
win10v2004-20240611-en
General
-
Target
75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe
-
Size
2.3MB
-
MD5
3bdccf0ad99477897b2c52e4d7caf22c
-
SHA1
f8745d2cd4460b0541fa36f349946365ccf3dbba
-
SHA256
75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2
-
SHA512
13524dae60dd93947316498a9b37e67229fa1e8f95040a6fee884dd06c2a365e7ec8025e61cd419b2e78017ee222b9ed0cdc838e025f99eff70b0d6b3c6e1718
-
SSDEEP
3072:CnJXbZgdE1mITFmT52UVbc0SegDgZfIxrAQOt/7ryVGMKrQjRzIEFJxalTfTYYi5:CnJP1T/
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7199704710:AAFo3G2WRLLSd0jDgjwpe01oeP1lxDAYb8A/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exedescription pid process target process PID 2284 set thread context of 2632 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CasPol.exepid process 2632 CasPol.exe 2632 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CasPol.exedescription pid process Token: SeDebugPrivilege 2632 CasPol.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exedescription pid process target process PID 2284 wrote to memory of 2760 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe regsvcs.exe PID 2284 wrote to memory of 2760 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe regsvcs.exe PID 2284 wrote to memory of 2760 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe regsvcs.exe PID 2284 wrote to memory of 2760 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe regsvcs.exe PID 2284 wrote to memory of 2760 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe regsvcs.exe PID 2284 wrote to memory of 2760 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe regsvcs.exe PID 2284 wrote to memory of 2760 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe regsvcs.exe PID 2284 wrote to memory of 1708 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe AddInProcess32.exe PID 2284 wrote to memory of 1708 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe AddInProcess32.exe PID 2284 wrote to memory of 1708 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe AddInProcess32.exe PID 2284 wrote to memory of 1708 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe AddInProcess32.exe PID 2284 wrote to memory of 2304 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe msbuild.exe PID 2284 wrote to memory of 2304 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe msbuild.exe PID 2284 wrote to memory of 2304 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe msbuild.exe PID 2284 wrote to memory of 2304 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe msbuild.exe PID 2284 wrote to memory of 2304 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe msbuild.exe PID 2284 wrote to memory of 2304 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe msbuild.exe PID 2284 wrote to memory of 2304 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe msbuild.exe PID 2284 wrote to memory of 2304 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe msbuild.exe PID 2284 wrote to memory of 2632 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2632 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2632 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2632 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2632 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2632 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2632 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2632 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2632 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2540 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2540 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2540 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe PID 2284 wrote to memory of 2540 2284 75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe"C:\Users\Admin\AppData\Local\Temp\75a67dd823e262d9f88b845e8c96aa376fce5c2261d835e3bf96b4f1f24a75c2.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe"2⤵PID:2760
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:1708
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"2⤵PID:2304
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:2540