Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 08:44
Static task
static1
Behavioral task
behavioral1
Sample
Your file name without extension goes here.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Your file name without extension goes here.exe
Resource
win10v2004-20240611-en
General
-
Target
Your file name without extension goes here.exe
-
Size
2.8MB
-
MD5
8f6133a74122aa1a27d18e48c2a3fa0c
-
SHA1
b71bdccb8b06c081589d3063fa02874ffdd2450e
-
SHA256
a54d0aecd2d24ce47e9773d031b1995a6fe81b9508e02553aef5bd62ae5dcd8f
-
SHA512
b50d54a3f66c2935e633aadee0e6a6def99d81ed32fb1f7c6386f32bc4af2c8d6fd3ec894b448ae08870e56fd159d16f6ea802296a1274fd4eb96bbcd2de7a1b
-
SSDEEP
12288:lU46sykEJtb4RlyoxZePN6MAtWRdNu6vuqmBk+El4CG4DPi:lPRykobG7E69URdNxuqyk+dR
Malware Config
Extracted
Protocol: smtp- Host:
terminal4.veeblehosting.com - Port:
587 - Username:
[email protected] - Password:
Ifeanyi1987@
Extracted
agenttesla
Protocol: smtp- Host:
terminal4.veeblehosting.com - Port:
587 - Username:
[email protected] - Password:
Ifeanyi1987@ - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 12 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Your file name without extension goes here.exedescription pid process target process PID 4092 set thread context of 3288 4092 Your file name without extension goes here.exe CasPol.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
CasPol.exepid process 3288 CasPol.exe 3288 CasPol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Your file name without extension goes here.exeCasPol.exedescription pid process Token: SeDebugPrivilege 4092 Your file name without extension goes here.exe Token: SeDebugPrivilege 3288 CasPol.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Your file name without extension goes here.exedescription pid process target process PID 4092 wrote to memory of 3288 4092 Your file name without extension goes here.exe CasPol.exe PID 4092 wrote to memory of 3288 4092 Your file name without extension goes here.exe CasPol.exe PID 4092 wrote to memory of 3288 4092 Your file name without extension goes here.exe CasPol.exe PID 4092 wrote to memory of 3288 4092 Your file name without extension goes here.exe CasPol.exe PID 4092 wrote to memory of 3288 4092 Your file name without extension goes here.exe CasPol.exe PID 4092 wrote to memory of 3288 4092 Your file name without extension goes here.exe CasPol.exe PID 4092 wrote to memory of 3288 4092 Your file name without extension goes here.exe CasPol.exe PID 4092 wrote to memory of 3288 4092 Your file name without extension goes here.exe CasPol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"C:\Users\Admin\AppData\Local\Temp\Your file name without extension goes here.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3288
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4188,i,1305347165619645738,15927664461101562802,262144 --variations-seed-version --mojo-platform-channel-handle=4196 /prefetch:81⤵PID:2492