Analysis
-
max time kernel
11s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-08-2024 18:48
Static task
static1
1 signatures
General
-
Target
LocalStealer.exe
-
Size
4.3MB
-
MD5
2a83e09de80c45eecdc7c9ed103c4346
-
SHA1
4fdb40b042468a529f339bb9c5045dadc5a7c7bb
-
SHA256
6c8cd2ff4020f57d558e878d87e8039ad3804614cad29957e279423af39b959d
-
SHA512
e8784c26146256cb481e8ddf1795bf86d7a5bedad1ff0397b71884076b1ec49efa5e3ef3f6eeed921d4f190ae7b2ab6b7317ce27d1c43ea13e3d8edfe4ef3d12
-
SSDEEP
98304:tkjozJ9/im8XVBKl6tmJVPS47x/EaR5zNNHtFkIT4bNJFY3OqtaSGuA+iFi:RzJpjS346tmJ1xsG53tFkjBHYq9uAy
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/4080-8-0x00000186F8020000-0x00000186F8234000-memory.dmp family_agenttesla -
Obfuscated with Agile.Net obfuscator 8 IoCs
Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.
Processes:
resource yara_rule behavioral1/memory/4080-3-0x00000186F7540000-0x00000186F7560000-memory.dmp agile_net behavioral1/memory/4080-2-0x00000186F74D0000-0x00000186F74F0000-memory.dmp agile_net behavioral1/memory/4080-4-0x00000186F7CB0000-0x00000186F7CBE000-memory.dmp agile_net behavioral1/memory/4080-6-0x00000186F7D30000-0x00000186F7D40000-memory.dmp agile_net behavioral1/memory/4080-5-0x00000186F7CD0000-0x00000186F7D2A000-memory.dmp agile_net behavioral1/memory/4080-9-0x00000186F7D40000-0x00000186F7DAE000-memory.dmp agile_net behavioral1/memory/4080-10-0x00000186F7DC0000-0x00000186F7DDE000-memory.dmp agile_net behavioral1/memory/4080-11-0x00000186F8230000-0x00000186F837A000-memory.dmp agile_net -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
LocalStealer.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS LocalStealer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer LocalStealer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion LocalStealer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
LocalStealer.exepid process 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe 4080 LocalStealer.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
LocalStealer.exedescription pid process Token: SeDebugPrivilege 4080 LocalStealer.exe