Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
12-06-2024 02:15
Static task
static1
Behavioral task
behavioral1
Sample
7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe
Resource
win10v2004-20240611-en
General
-
Target
7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe
-
Size
602KB
-
MD5
90384630603db9e5a555e63b50542c67
-
SHA1
1ea91cd860d92a43b2a5ab0a4187c2a18c2ee11f
-
SHA256
7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db
-
SHA512
a29ce98d23cd58d5b8ae1c7ae7f1b16abec3c232124632535d7b03adad0889024235e17e76f8c4a06511c196fee82386762e8ff91dc6238a6ba50020f464e1c0
-
SSDEEP
12288:EAevfRBK5O6M2PrsOfO9rFIBpGImoozvItcHHFojhbCxprzvue30gaff/CRy:/lIJripFmoozQm6jOpHlda/l
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.b-trust.org - Port:
587 - Username:
[email protected] - Password:
bg680304 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exedescription pid process target process PID 2196 set thread context of 2252 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe CasPol.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CasPol.exepid process 2252 CasPol.exe 2252 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CasPol.exedescription pid process Token: SeDebugPrivilege 2252 CasPol.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exedescription pid process target process PID 2196 wrote to memory of 2252 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe CasPol.exe PID 2196 wrote to memory of 2252 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe CasPol.exe PID 2196 wrote to memory of 2252 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe CasPol.exe PID 2196 wrote to memory of 2252 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe CasPol.exe PID 2196 wrote to memory of 2252 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe CasPol.exe PID 2196 wrote to memory of 2252 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe CasPol.exe PID 2196 wrote to memory of 2252 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe CasPol.exe PID 2196 wrote to memory of 2252 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe CasPol.exe PID 2196 wrote to memory of 2252 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe CasPol.exe PID 2196 wrote to memory of 2500 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe WerFault.exe PID 2196 wrote to memory of 2500 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe WerFault.exe PID 2196 wrote to memory of 2500 2196 7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe WerFault.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe"C:\Users\Admin\AppData\Local\Temp\7a58e101be7adf3fb1b99f17259c8e0747970336a998ae6f01c549bbd27926db.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2196 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252 -
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2196 -s 6522⤵PID:2500