Analysis
-
max time kernel
125s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 15:26
Static task
static1
Behavioral task
behavioral1
Sample
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe
Resource
win10v2004-20240611-en
General
-
Target
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe
-
Size
98KB
-
MD5
9ea3d152c4e248841abf4f490a84b8c9
-
SHA1
77d61f0c95c5f7cd4378ca528c4d13ce283af5c4
-
SHA256
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0
-
SHA512
53f264afbc654519ef97efa33ea2c8fa2afcb30505e67f775f67aa4dffd3570861c532cfd8bc7465a93822122d08f761054b2dc75d52893cdde397e941d92fec
-
SSDEEP
1536:+A4Lk8u2qHlllllllOdQlwEn+glllllllllllllllllll5xw5ll:RMtYwiVxw5ll
Malware Config
Extracted
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
6RLYuUCIH8hN
Extracted
agenttesla
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
6RLYuUCIH8hN - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Viilefvhdo = "C:\\Users\\Admin\\AppData\\Roaming\\Viilefvhdo.exe" 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 31 api.ipify.org 32 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exedescription pid process target process PID 3964 set thread context of 4532 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exepid process 1508 ipconfig.exe 4436 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exepid process 4532 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 4532 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exedescription pid process Token: SeDebugPrivilege 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe Token: SeDebugPrivilege 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe Token: SeDebugPrivilege 4532 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.execmd.execmd.exedescription pid process target process PID 3964 wrote to memory of 4948 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 3964 wrote to memory of 4948 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 3964 wrote to memory of 4948 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 4948 wrote to memory of 1508 4948 cmd.exe ipconfig.exe PID 4948 wrote to memory of 1508 4948 cmd.exe ipconfig.exe PID 4948 wrote to memory of 1508 4948 cmd.exe ipconfig.exe PID 3964 wrote to memory of 4532 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 3964 wrote to memory of 4532 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 3964 wrote to memory of 4532 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 3964 wrote to memory of 4532 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 3964 wrote to memory of 4532 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 3964 wrote to memory of 4532 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 3964 wrote to memory of 4532 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 3964 wrote to memory of 4532 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe PID 3964 wrote to memory of 572 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 3964 wrote to memory of 572 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 3964 wrote to memory of 572 3964 1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe cmd.exe PID 572 wrote to memory of 4436 572 cmd.exe ipconfig.exe PID 572 wrote to memory of 4436 572 cmd.exe ipconfig.exe PID 572 wrote to memory of 4436 572 cmd.exe ipconfig.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe"C:\Users\Admin\AppData\Local\Temp\1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /release2⤵
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:1508
-
-
-
C:\Users\Admin\AppData\Local\Temp\1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe"C:\Users\Admin\AppData\Local\Temp\1b4cd0759ffb8314d799031e229d82bf5adf74ed60f0430c4df7fad3b49137f0.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4532
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ipconfig /renew2⤵
- Suspicious use of WriteProcessMemory
PID:572 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /renew3⤵
- Gathers network information
PID:4436
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3980,i,4778049104057176787,6631751660692402210,262144 --variations-seed-version --mojo-platform-channel-handle=1028 /prefetch:81⤵PID:1420