Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
19-06-2024 13:13
Static task
static1
Behavioral task
behavioral1
Sample
PO-070724-WA00002.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
PO-070724-WA00002.exe
Resource
win10v2004-20240611-en
General
-
Target
PO-070724-WA00002.exe
-
Size
720KB
-
MD5
02cf751cfb4a32f5fc312d5b28505834
-
SHA1
3e301394a596e1821027fa304ae054c4e214be2a
-
SHA256
0f332fd82cac206ac5ad266b95ec432b85b285317709ea00ee5f31648a1fc512
-
SHA512
dcb983fc89aee31651f6fe9d5aa3ccfe1064c303f3a9766fe1b616931f15c31c03fcfba27a8e13b6f5e7a0a12835081e60bb71fbd68ba0303285d68cc4d79aed
-
SSDEEP
12288:05xFWhx+o6qYYGuo60Yl4YZG+naO+Bspp1pJ49rzviorohW5+X/oQ3M759DDxJBJ:KxF7uVp0Yl0iaO+m941vihhu+1877r3
Malware Config
Extracted
Protocol: smtp- Host:
smtp.brianberrills-ie.com - Port:
587 - Username:
[email protected] - Password:
k)(yecz3
Extracted
agenttesla
Protocol: smtp- Host:
smtp.brianberrills-ie.com - Port:
587 - Username:
[email protected] - Password:
k)(yecz3 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 30 api.ipify.org 31 api.ipify.org -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
PO-070724-WA00002.exepid Process 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe 1180 PO-070724-WA00002.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO-070724-WA00002.exedescription pid Process Token: SeDebugPrivilege 1180 PO-070724-WA00002.exe