Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 22:15
Static task
static1
Behavioral task
behavioral1
Sample
c5a66daf8a49bd675d71736d7a81366f.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c5a66daf8a49bd675d71736d7a81366f.exe
Resource
win10v2004-20240802-en
General
-
Target
c5a66daf8a49bd675d71736d7a81366f.exe
-
Size
1.0MB
-
MD5
c5a66daf8a49bd675d71736d7a81366f
-
SHA1
5d0312e80a42f82914eca818e3206dba210cd2b8
-
SHA256
56287adf7892b0d48ce32ace863e4e403f51dc20eba9e422602fb61bb667a5f1
-
SHA512
f5b895fcf58dc665308bc56862b3f6eba43f5783f305d4e0992f8c46b5c867e083f8946100d5cb59a437a01c3ba633946a1e9256727c5033c21c0322538c3c0e
-
SSDEEP
24576:p4lavt0LkLL9IMixoEgea5QRYRCeS0D8qWwq9MmCS:4kwkn9IMHea5Q2R3S0D8qPaPCS
Malware Config
Extracted
agenttesla
Protocol: ftp- Host:
ftp://ftp.stingatoareincendii.ro - Port:
21 - Username:
[email protected] - Password:
3.*RYhlG)lkA
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 12 ip-api.com -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2988-6-0x0000000000AD0000-0x0000000000ED0000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2988 set thread context of 3880 2988 c5a66daf8a49bd675d71736d7a81366f.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c5a66daf8a49bd675d71736d7a81366f.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3880 RegSvcs.exe 3880 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2988 c5a66daf8a49bd675d71736d7a81366f.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3880 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2988 c5a66daf8a49bd675d71736d7a81366f.exe 2988 c5a66daf8a49bd675d71736d7a81366f.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 2988 c5a66daf8a49bd675d71736d7a81366f.exe 2988 c5a66daf8a49bd675d71736d7a81366f.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2988 wrote to memory of 3880 2988 c5a66daf8a49bd675d71736d7a81366f.exe 88 PID 2988 wrote to memory of 3880 2988 c5a66daf8a49bd675d71736d7a81366f.exe 88 PID 2988 wrote to memory of 3880 2988 c5a66daf8a49bd675d71736d7a81366f.exe 88 PID 2988 wrote to memory of 3880 2988 c5a66daf8a49bd675d71736d7a81366f.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\c5a66daf8a49bd675d71736d7a81366f.exe"C:\Users\Admin\AppData\Local\Temp\c5a66daf8a49bd675d71736d7a81366f.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\c5a66daf8a49bd675d71736d7a81366f.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3880
-