Analysis
-
max time kernel
103s -
max time network
203s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 03:59
Behavioral task
behavioral1
Sample
Updated Pricelist.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Updated Pricelist.exe
Resource
win10v2004-20240802-en
General
-
Target
Updated Pricelist.exe
-
Size
583KB
-
MD5
bd50b8389578702100c55e976e636d2c
-
SHA1
04a8de3509219f30312a372dd365a84a2f853efe
-
SHA256
317d4b1683e217b6af80de147bbeb8581255f320dd11ca5c13b0796f837d42aa
-
SHA512
2ba298f9f2ddfac90aefd6587749f65002495bb3a8e7f7e5947ca7b7f654133329ca0ac9b69aae7c631155f6f865e4503350df6612c965fd22b3017d4d6e9543
-
SSDEEP
12288:LXe9PPlowWX0t6mOQwg1Qd15CcYk0We1FfCvz+1YhOyIIHMsulkf:ShloDX0XOf4oZhfIIHMgf
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mahesh-ent.com - Port:
587 - Username:
[email protected] - Password:
M@hesh3981 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
resource yara_rule behavioral2/memory/1080-0-0x0000000000ED0000-0x0000000001024000-memory.dmp upx behavioral2/memory/1080-10-0x0000000000ED0000-0x0000000001024000-memory.dmp upx -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 15 api.ipify.org 16 api.ipify.org -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/1080-10-0x0000000000ED0000-0x0000000001024000-memory.dmp autoit_exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1080 set thread context of 808 1080 Updated Pricelist.exe 86 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Updated Pricelist.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 808 RegSvcs.exe 808 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1080 Updated Pricelist.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 808 RegSvcs.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1080 Updated Pricelist.exe 1080 Updated Pricelist.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 1080 Updated Pricelist.exe 1080 Updated Pricelist.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 808 RegSvcs.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 1080 wrote to memory of 808 1080 Updated Pricelist.exe 86 PID 1080 wrote to memory of 808 1080 Updated Pricelist.exe 86 PID 1080 wrote to memory of 808 1080 Updated Pricelist.exe 86 PID 1080 wrote to memory of 808 1080 Updated Pricelist.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\Updated Pricelist.exe"C:\Users\Admin\AppData\Local\Temp\Updated Pricelist.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1080 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\Updated Pricelist.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:808
-