Analysis
-
max time kernel
143s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12-06-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe
Resource
win10v2004-20240508-en
General
-
Target
b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe
-
Size
1.2MB
-
MD5
ab3fa137f1603d28a0c4f79d4bb4c418
-
SHA1
d76a52558a2a30343a7e0595d3f951683db444a5
-
SHA256
b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883
-
SHA512
262a143884a62d1c161545efbbbd7f8ea14f55ed62fe65bf568d3a35ad5e3a82c4e456da8e8ee8d440043e91a9d59735cbd2fc121b4238a70f2993705142ef3f
-
SSDEEP
24576:3AHnh+eWsN3skA4RV1Hom2KXMmHaRI6pG0YhZ4WIT1QesUz+C7h5:qh+ZkldoPK8YaRI68SKesU1
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect packed .NET executables. Mostly AgentTeslaV4. 33 IoCs
Processes:
resource yara_rule behavioral2/memory/1272-39-0x0000000005560000-0x00000000055B4000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-41-0x0000000005630000-0x0000000005682000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-53-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-99-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-97-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-93-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-91-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-89-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-87-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-85-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-83-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-79-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-77-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-75-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-73-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-71-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-69-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-67-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-65-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-63-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-61-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-59-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-57-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-55-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-51-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-49-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-47-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-101-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-95-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-45-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-81-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-43-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 behavioral2/memory/1272-42-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_EXE_Packed_GEN01 -
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 33 IoCs
Processes:
resource yara_rule behavioral2/memory/1272-39-0x0000000005560000-0x00000000055B4000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-41-0x0000000005630000-0x0000000005682000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-53-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-99-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-97-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-93-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-91-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-89-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-87-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-85-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-83-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-79-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-77-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-75-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-73-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-71-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-69-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-67-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-65-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-63-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-61-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-59-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-57-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-55-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-51-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-49-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-47-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-101-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-95-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-45-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-81-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-43-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers behavioral2/memory/1272-42-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_Binary_References_Browsers -
Detects executables referencing Windows vault credential objects. Observed in infostealers 33 IoCs
Processes:
resource yara_rule behavioral2/memory/1272-39-0x0000000005560000-0x00000000055B4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-41-0x0000000005630000-0x0000000005682000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-53-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-99-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-97-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-93-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-91-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-89-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-87-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-85-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-83-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-79-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-77-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-75-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-73-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-71-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-69-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-67-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-65-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-63-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-61-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-59-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-57-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-55-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-51-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-49-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-47-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-101-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-95-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-45-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-81-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-43-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID behavioral2/memory/1272-42-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID -
Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers 33 IoCs
Processes:
resource yara_rule behavioral2/memory/1272-39-0x0000000005560000-0x00000000055B4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-41-0x0000000005630000-0x0000000005682000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-53-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-99-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-97-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-93-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-91-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-89-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-87-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-85-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-83-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-79-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-77-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-75-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-73-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-71-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-69-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-67-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-65-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-63-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-61-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-59-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-57-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-55-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-51-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-49-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-47-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-101-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-95-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-45-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-81-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-43-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store behavioral2/memory/1272-42-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Confidential_Data_Store -
Detects executables referencing many email and collaboration clients. Observed in information stealers 33 IoCs
Processes:
resource yara_rule behavioral2/memory/1272-39-0x0000000005560000-0x00000000055B4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-41-0x0000000005630000-0x0000000005682000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-53-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-99-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-97-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-93-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-91-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-89-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-87-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-85-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-83-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-79-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-77-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-75-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-73-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-71-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-69-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-67-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-65-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-63-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-61-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-59-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-57-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-55-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-51-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-49-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-47-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-101-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-95-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-45-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-81-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-43-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients behavioral2/memory/1272-42-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_References_Messaging_Clients -
Detects executables referencing many file transfer clients. Observed in information stealers 33 IoCs
Processes:
resource yara_rule behavioral2/memory/1272-39-0x0000000005560000-0x00000000055B4000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-41-0x0000000005630000-0x0000000005682000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-53-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-99-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-97-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-93-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-91-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-89-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-87-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-85-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-83-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-79-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-77-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-75-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-73-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-71-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-69-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-67-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-65-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-63-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-61-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-59-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-57-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-55-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-51-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-49-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-47-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-101-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-95-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-45-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-81-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-43-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients behavioral2/memory/1272-42-0x0000000005630000-0x000000000567D000-memory.dmp INDICATOR_SUSPICIOUS_EXE_Referenfces_File_Transfer_Clients -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exedescription pid process target process PID 1712 set thread context of 1272 1712 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 1272 RegSvcs.exe 1272 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exeb97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exeb97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exepid process 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 1712 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 1272 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
Processes:
b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exeb97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exeb97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exepid process 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 1712 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 1712 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe -
Suspicious use of SendNotifyMessage 6 IoCs
Processes:
b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exeb97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exeb97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exepid process 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 1712 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe 1712 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exeb97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exeb97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exedescription pid process target process PID 2800 wrote to memory of 924 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe PID 2800 wrote to memory of 924 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe PID 2800 wrote to memory of 924 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe PID 2800 wrote to memory of 2368 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe PID 2800 wrote to memory of 2368 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe PID 2800 wrote to memory of 2368 2800 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe PID 2368 wrote to memory of 1576 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe PID 2368 wrote to memory of 1576 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe PID 2368 wrote to memory of 1576 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe PID 2368 wrote to memory of 1712 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe PID 2368 wrote to memory of 1712 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe PID 2368 wrote to memory of 1712 2368 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe PID 1712 wrote to memory of 1272 1712 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe PID 1712 wrote to memory of 1272 1712 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe PID 1712 wrote to memory of 1272 1712 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe PID 1712 wrote to memory of 1272 1712 b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"2⤵PID:924
-
C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2368 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"3⤵PID:1576
-
C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1712 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\b97ca324b50c24c05c82b6ae51702cc8bedcd1474bb875099260559463683883.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3756,i,9746875443948590908,1444894342962555245,262144 --variations-seed-version --mojo-platform-channel-handle=4232 /prefetch:81⤵PID:5128
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5cbef02b13616b971d9ee3a12cfb806b8
SHA157f755b94add6c0d30b8ead691eae92839133609
SHA256d2f5e3c76c00df75d797415396979d4acaaddc51c26b685036f6bc33d3baa84f
SHA5127e8633ce85d9a0c93a998b5a43ff37b6bddb87d2eaaa7db2820f3e24879882c21b39f2581fa951375e803ae53cd172c2b8409f61f5d8e03942741c33a0987b9c
-
Filesize
255KB
MD51f68ab1a913155475090c1b6920b2100
SHA1a5f5ee6767e46d2a14f04fc56c0609ae7f045e46
SHA256895be284a7a2fd435ef1aad4428496b0a44d7ec75130f3c9fd2aa72b501543e4
SHA512614b6ddf6edfb2ae18caa8eba1e9d9515436d88ae577108b3c14571f27708100b258f25ee73f3b782082e32d5e5a0f4dfa1f8b52b3c666f29b5884265483d088
-
Filesize
9KB
MD532b0677668558a39f86bbb428d200f31
SHA1e700c24e6e5854d552e2a3b8fca1ecf6f5d68372
SHA2562227e8b902d06540892f364fb943dc40f1e5e0a12c41a9b5e4925bf0f2e0d0f9
SHA51272586a6a2da9429b99ca8d2ae83fa973f4c80a4ab2836ab6120f47637584d6131d619898cf1b3faa041bda5acd420d895270b49e7639c9c6a0b1379b9283d518
-
Filesize
261KB
MD52fd14cb64c85288ce300a01aa0206b37
SHA1add171fddcd001c709dc745bf3cd3b9ed4aa254b
SHA256b8a3e5188aa61b09556215649a89210e9cd48aa0ca8b893a4c299d721be4147b
SHA5125072663b1f0c2dee814050cf7682a58fc0184570c56ddb746d98bf0cd04dfd2cfd1786b6349676b94cd07f665738f340575baccfcbac0db7882663b7f5f0551f