Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe
Resource
win10v2004-20240508-en
General
-
Target
b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe
-
Size
1.2MB
-
MD5
b987ae03e873b8b5f1e4b9c26a8401d3
-
SHA1
002d164dca14a55455f5d69965e1f26c3fecffa6
-
SHA256
b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106
-
SHA512
852a07423d7b1f268a6473c375d7f6183ae5b12cfe6044c1d0b7389029a7a423fec3242ef5ecca96d9beb76699aba729f4f3f9b8c2affb4c52e16edc721da70a
-
SSDEEP
24576:WAHnh+eWsN3skA4RV1Hom2KXMmHaVdH5C0Mm307Tz2jo649m45:xh+ZkldoPK8YaVJmm32z2x49t
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 33 IoCs
Processes:
resource yara_rule behavioral2/memory/316-28-0x0000000004FD0000-0x0000000005024000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-31-0x00000000050A0000-0x00000000050F2000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-47-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-51-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-93-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-91-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-89-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-87-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-85-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-83-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-81-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-79-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-77-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-75-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-73-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-71-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-69-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-67-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-65-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-63-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-61-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-59-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-58-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-55-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-53-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-49-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-45-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-43-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-39-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-37-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-35-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-34-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/316-41-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 33 IoCs
Processes:
resource yara_rule behavioral2/memory/316-28-0x0000000004FD0000-0x0000000005024000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-31-0x00000000050A0000-0x00000000050F2000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-47-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-51-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-93-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-91-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-89-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-87-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-85-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-83-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-81-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-79-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-77-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-75-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-73-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-71-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-69-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-67-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-65-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-63-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-61-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-59-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-58-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-55-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-53-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-49-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-45-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-43-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-39-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-37-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-35-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-34-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/316-41-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 33 IoCs
Processes:
resource yara_rule behavioral2/memory/316-28-0x0000000004FD0000-0x0000000005024000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-31-0x00000000050A0000-0x00000000050F2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-47-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-51-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-93-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-91-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-89-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-87-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-85-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-83-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-81-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-79-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-77-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-75-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-73-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-71-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-69-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-67-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-65-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-63-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-61-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-59-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-58-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-55-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-53-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-49-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-45-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-43-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-39-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-37-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-35-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-34-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/316-41-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 33 IoCs
Processes:
resource yara_rule behavioral2/memory/316-28-0x0000000004FD0000-0x0000000005024000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-31-0x00000000050A0000-0x00000000050F2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-47-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-51-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-93-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-91-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-89-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-87-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-85-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-83-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-81-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-79-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-77-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-75-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-73-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-71-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-69-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-67-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-65-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-63-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-61-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-59-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-58-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-55-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-53-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-49-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-45-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-43-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-39-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-37-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-35-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-34-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/316-41-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 33 IoCs
Processes:
resource yara_rule behavioral2/memory/316-28-0x0000000004FD0000-0x0000000005024000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-31-0x00000000050A0000-0x00000000050F2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-47-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-51-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-93-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-91-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-89-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-87-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-85-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-83-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-81-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-79-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-77-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-75-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-73-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-71-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-69-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-67-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-65-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-63-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-61-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-59-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-58-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-55-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-53-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-49-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-45-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-43-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-39-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-37-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-35-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-34-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/316-41-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 33 IoCs
Processes:
resource yara_rule behavioral2/memory/316-28-0x0000000004FD0000-0x0000000005024000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-31-0x00000000050A0000-0x00000000050F2000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-47-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-51-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-93-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-91-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-89-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-87-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-85-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-83-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-81-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-79-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-77-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-75-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-73-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-71-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-69-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-67-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-65-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-63-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-61-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-59-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-58-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-55-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-53-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-49-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-45-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-43-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-39-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-37-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-35-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-34-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/316-41-0x00000000050A0000-0x00000000050ED000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 2 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exedescription pid process target process PID 4644 set thread context of 316 4644 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 316 RegSvcs.exe 316 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exeb79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exepid process 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe 4644 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 316 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exeb79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exepid process 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe 4644 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe 4644 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe -
Suspicious use of SendNotifyMessage 4 IoCs
Processes:
b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exeb79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exepid process 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe 4644 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe 4644 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exeb79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exedescription pid process target process PID 4556 wrote to memory of 312 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe RegSvcs.exe PID 4556 wrote to memory of 312 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe RegSvcs.exe PID 4556 wrote to memory of 312 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe RegSvcs.exe PID 4556 wrote to memory of 4644 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe PID 4556 wrote to memory of 4644 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe PID 4556 wrote to memory of 4644 4556 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe PID 4644 wrote to memory of 316 4644 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe RegSvcs.exe PID 4644 wrote to memory of 316 4644 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe RegSvcs.exe PID 4644 wrote to memory of 316 4644 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe RegSvcs.exe PID 4644 wrote to memory of 316 4644 b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe"C:\Users\Admin\AppData\Local\Temp\b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe"2⤵PID:312
-
C:\Users\Admin\AppData\Local\Temp\b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe"C:\Users\Admin\AppData\Local\Temp\b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\b79bebd49ec717c79a291a46c7fef304974be170eab06d6fd14810bdb0593106.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e