Analysis
-
max time kernel
119s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 15:26
Static task
static1
Behavioral task
behavioral1
Sample
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe
Resource
win10v2004-20240611-en
General
-
Target
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe
-
Size
98KB
-
MD5
9ea3d152c4e248841abf4f490a84b8c9
-
SHA1
77d61f0c95c5f7cd4378ca528c4d13ce283af5c4
-
SHA256
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0
-
SHA512
53f264afbc654519ef97efa33ea2c8fa2afcb30505e67f775f67aa4dffd3570861c532cfd8bc7465a93822122d08f761054b2dc75d52893cdde397e941d92fec
-
SSDEEP
1536:+A4Lk8u2qHlllllllOdQlwEn+glllllllllllllllllll5xw5ll:RMtYwiVxw5ll
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
6RLYuUCIH8hN - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\Viilefvhdo = "C:\\Users\\Admin\\AppData\\Roaming\\Viilefvhdo.exe" 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exedescription pid process target process PID 2868 set thread context of 3388 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 3220 ipconfig.exe 3492 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exepid process 3388 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 3388 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exedescription pid process Token: SeDebugPrivilege 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe Token: SeDebugPrivilege 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe Token: SeDebugPrivilege 3388 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.execmd.execmd.exedescription pid process target process PID 2868 wrote to memory of 3196 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 2868 wrote to memory of 3196 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 2868 wrote to memory of 3196 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 2868 wrote to memory of 3196 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 3196 wrote to memory of 3220 3196 cmd.exe ipconfig.exe PID 3196 wrote to memory of 3220 3196 cmd.exe ipconfig.exe PID 3196 wrote to memory of 3220 3196 cmd.exe ipconfig.exe PID 3196 wrote to memory of 3220 3196 cmd.exe ipconfig.exe PID 2868 wrote to memory of 3388 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 2868 wrote to memory of 3388 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 2868 wrote to memory of 3388 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 2868 wrote to memory of 3388 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 2868 wrote to memory of 3388 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 2868 wrote to memory of 3388 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 2868 wrote to memory of 3388 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 2868 wrote to memory of 3388 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 2868 wrote to memory of 3388 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 2868 wrote to memory of 3464 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 2868 wrote to memory of 3464 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 2868 wrote to memory of 3464 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 2868 wrote to memory of 3464 2868 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 3464 wrote to memory of 3492 3464 cmd.exe ipconfig.exe PID 3464 wrote to memory of 3492 3464 cmd.exe ipconfig.exe PID 3464 wrote to memory of 3492 3464 cmd.exe ipconfig.exe PID 3464 wrote to memory of 3492 3464 cmd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe"C:\Users\Admin\AppData\Local\Temp\1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:3196 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:3220
-
-
-
C:\Users\Admin\AppData\Local\Temp\1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe"C:\Users\Admin\AppData\Local\Temp\1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3388
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:3492
-
-