Analysis
-
max time kernel
595s -
max time network
600s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 16:17
Behavioral task
behavioral1
Sample
Guna.UI2.dll
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
Guna.UI2.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
Memory.dll
Resource
win7-20240508-en
Behavioral task
behavioral4
Sample
Memory.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
reach.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
reach.exe
Resource
win10v2004-20240611-en
General
-
Target
reach.exe
-
Size
4.1MB
-
MD5
c8cbc57915836322fd79b73f5cdd0047
-
SHA1
ab2c9a392af16dde09c032b05ad19ca7c2170434
-
SHA256
91a7ca4f9b9361e8eb01f2c52eeb67a36233cb7ccd481214472ed9065f247c52
-
SHA512
a72619e18e262aba281ba70edc97a038bbbcf7ef0530cf66b85432baba0f1da71edb3ccaf014775c8faea702edf86e28c3fa84ddb22f9a09c08c1b59220dd3ff
-
SSDEEP
98304:MY/Hu/2WllEKvUVoLu98EoHqDhmt8jgRVVjlvvv0p:MYGuUEToq8DHf8jgRVVt0p
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral6/memory/2920-5-0x000001C9770F0000-0x000001C977304000-memory.dmp family_agenttesla -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
reach.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS reach.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer reach.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion reach.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
reach.exepid process 2920 reach.exe 2920 reach.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
reach.exedescription pid process Token: SeDebugPrivilege 2920 reach.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\reach.exe"C:\Users\Admin\AppData\Local\Temp\reach.exe"1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2920
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4416,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:81⤵PID:3116
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4828,i,6870419347051655189,5491911050420577193,262144 --variations-seed-version --mojo-platform-channel-handle=4892 /prefetch:81⤵PID:4564