Analysis
-
max time kernel
125s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
18-06-2024 17:31
Static task
static1
Behavioral task
behavioral1
Sample
BANK DETAILS.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
BANK DETAILS.exe
Resource
win10v2004-20240611-en
General
-
Target
BANK DETAILS.exe
-
Size
637KB
-
MD5
40d0bcab4d57a4194938744ed5d22c51
-
SHA1
2700d2ae373bcde93e9636f75547936326577110
-
SHA256
9bac0e273d5e86b4be40e949d0256c1f8fc3fd65559a55524c88797b7ba0194d
-
SHA512
a13d3af75132cc46b33490f32a515a5e149930c61950f9d2b4d0a2fbe646149506e9bf7fdcefbe8a78de4ea3a80229794803527878b3e9f8565606dc30cc90a1
-
SSDEEP
12288:sjMgUD2J0LzgzAPKHxksUefkoQCgWgQ0w3c1ca:LD2Jqz8AS1ooQCgL9ca
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
faith12AB
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4900-12-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
BANK DETAILS.exedescription pid process target process PID 4880 set thread context of 4900 4880 BANK DETAILS.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
BANK DETAILS.exeMSBuild.exepid process 4880 BANK DETAILS.exe 4880 BANK DETAILS.exe 4880 BANK DETAILS.exe 4880 BANK DETAILS.exe 4900 MSBuild.exe 4900 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
BANK DETAILS.exeMSBuild.exedescription pid process Token: SeDebugPrivilege 4880 BANK DETAILS.exe Token: SeDebugPrivilege 4900 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
BANK DETAILS.exedescription pid process target process PID 4880 wrote to memory of 4900 4880 BANK DETAILS.exe MSBuild.exe PID 4880 wrote to memory of 4900 4880 BANK DETAILS.exe MSBuild.exe PID 4880 wrote to memory of 4900 4880 BANK DETAILS.exe MSBuild.exe PID 4880 wrote to memory of 4900 4880 BANK DETAILS.exe MSBuild.exe PID 4880 wrote to memory of 4900 4880 BANK DETAILS.exe MSBuild.exe PID 4880 wrote to memory of 4900 4880 BANK DETAILS.exe MSBuild.exe PID 4880 wrote to memory of 4900 4880 BANK DETAILS.exe MSBuild.exe PID 4880 wrote to memory of 4900 4880 BANK DETAILS.exe MSBuild.exe -
outlook_office_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe -
outlook_win_path 1 IoCs
Processes:
MSBuild.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BANK DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\BANK DETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4900
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4208,i,2113996974559895641,18156918660790954073,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:81⤵PID:3380