Analysis
-
max time kernel
357s -
max time network
358s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-06-2024 16:17
Behavioral task
behavioral1
Sample
Guna.UI2.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Guna.UI2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Memory.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Memory.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
reach.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
reach.exe
Resource
win10v2004-20240611-en
General
-
Target
reach.exe
-
Size
4.1MB
-
MD5
c8cbc57915836322fd79b73f5cdd0047
-
SHA1
ab2c9a392af16dde09c032b05ad19ca7c2170434
-
SHA256
91a7ca4f9b9361e8eb01f2c52eeb67a36233cb7ccd481214472ed9065f247c52
-
SHA512
a72619e18e262aba281ba70edc97a038bbbcf7ef0530cf66b85432baba0f1da71edb3ccaf014775c8faea702edf86e28c3fa84ddb22f9a09c08c1b59220dd3ff
-
SSDEEP
98304:MY/Hu/2WllEKvUVoLu98EoHqDhmt8jgRVVjlvvv0p:MYGuUEToq8DHf8jgRVVt0p
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral5/memory/2172-5-0x000000001D490000-0x000000001D6A4000-memory.dmp family_agenttesla -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
reach.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reach.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer reach.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion reach.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
reach.exepid process 2172 reach.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
reach.exedescription pid process Token: SeDebugPrivilege 2172 reach.exe