Analysis
-
max time kernel
120s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 02:02
Static task
static1
Behavioral task
behavioral1
Sample
Bank slip.exe
Resource
win7-20240611-en
General
-
Target
Bank slip.exe
-
Size
750KB
-
MD5
65896cd6fe3a01926ed49c9ef5a29ef7
-
SHA1
c5dc5a34959a9695187f9d5feed4cc4fb8cbae44
-
SHA256
801fb085b2034c2da6a22f7ed8d86ae6e7195b09d63c195a2b04a55b7a40f97f
-
SHA512
c59c6033482ca7690fd07a1f77157caa8d2e34ba6b85326831fbb820c402eaea76b26236b879116bc694e66fb10bb6cd6ea95d3497febba3a600132429844601
-
SSDEEP
12288:vs2J7y715wcdF7d1+bbamuOl8cX7UOaj/N/4FjaxnSdgx+ACR5leZlN:U25k5XdNv+boOlTwhU8nSA+A+er
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.albushrametalic.com - Port:
587 - Username:
[email protected] - Password:
GLBL1285# - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Bank slip.exedescription pid process target process PID 1900 set thread context of 2808 1900 Bank slip.exe Bank slip.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
Bank slip.exeBank slip.exepowershell.exepid process 1900 Bank slip.exe 1900 Bank slip.exe 1900 Bank slip.exe 2808 Bank slip.exe 2808 Bank slip.exe 2672 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Bank slip.exeBank slip.exepowershell.exedescription pid process Token: SeDebugPrivilege 1900 Bank slip.exe Token: SeDebugPrivilege 2808 Bank slip.exe Token: SeDebugPrivilege 2672 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
Bank slip.exedescription pid process target process PID 1900 wrote to memory of 2672 1900 Bank slip.exe powershell.exe PID 1900 wrote to memory of 2672 1900 Bank slip.exe powershell.exe PID 1900 wrote to memory of 2672 1900 Bank slip.exe powershell.exe PID 1900 wrote to memory of 2672 1900 Bank slip.exe powershell.exe PID 1900 wrote to memory of 2652 1900 Bank slip.exe schtasks.exe PID 1900 wrote to memory of 2652 1900 Bank slip.exe schtasks.exe PID 1900 wrote to memory of 2652 1900 Bank slip.exe schtasks.exe PID 1900 wrote to memory of 2652 1900 Bank slip.exe schtasks.exe PID 1900 wrote to memory of 2808 1900 Bank slip.exe Bank slip.exe PID 1900 wrote to memory of 2808 1900 Bank slip.exe Bank slip.exe PID 1900 wrote to memory of 2808 1900 Bank slip.exe Bank slip.exe PID 1900 wrote to memory of 2808 1900 Bank slip.exe Bank slip.exe PID 1900 wrote to memory of 2808 1900 Bank slip.exe Bank slip.exe PID 1900 wrote to memory of 2808 1900 Bank slip.exe Bank slip.exe PID 1900 wrote to memory of 2808 1900 Bank slip.exe Bank slip.exe PID 1900 wrote to memory of 2808 1900 Bank slip.exe Bank slip.exe PID 1900 wrote to memory of 2808 1900 Bank slip.exe Bank slip.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1900 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\uwJTBIAB.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2672 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uwJTBIAB" /XML "C:\Users\Admin\AppData\Local\Temp\tmp582E.tmp"2⤵
- Creates scheduled task(s)
PID:2652 -
C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"C:\Users\Admin\AppData\Local\Temp\Bank slip.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD55595f77f71f00ae3dd4f60403567b46b
SHA10ef59f082753cc2042a950c7384f40b4dda97f91
SHA256d51149044816287dc9fb6d69c035cab20d6654ad8295732ea2f77d989628fe6b
SHA5126e2c40ab7ceb32c1e7537401bf81650abb53de455cdf2f5412887370e787b0d77909fa8626ae2de3ed282f19f4637dd96d71137c15f6650adba09ee9570cd6fe