Analysis
-
max time kernel
142s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14-09-2024 03:34
Static task
static1
Behavioral task
behavioral1
Sample
INV 493178246.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
INV 493178246.exe
Resource
win10v2004-20240802-en
General
-
Target
INV 493178246.exe
-
Size
820KB
-
MD5
94ec06012c2eabfff68c349a5330136a
-
SHA1
833d6264d984eb8816a95d91e4c491c8fb8554f4
-
SHA256
d2e12e778519b6ea35daaef5eadae95b9f9e7f60676c8ddae1b321e384984c63
-
SHA512
0ceaff384363e25e860fc977252b5827b847f61b8532f6a7b725ae829069f078559ebee406ed3bfc164b5f9569e6188078c458172111fc655433b869bc9e74f5
-
SSDEEP
12288:bb6mCM9sXHh9BoRPqsxOVKuS5r70xwgeqh043L97/hOcUW9sqVZEG:qeSHhYRRxOVGcxJBdb12hi
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.deltataxation.com.au - Port:
587 - Username:
[email protected] - Password:
flX?jHei(%+5
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 8 IoCs
resource yara_rule behavioral1/memory/1744-10-0x00000000002C0000-0x00000000002FC000-memory.dmp family_agenttesla behavioral1/memory/1744-12-0x0000000000400000-0x0000000000485000-memory.dmp family_agenttesla behavioral1/memory/1744-11-0x00000000002C0000-0x00000000002FC000-memory.dmp family_agenttesla behavioral1/memory/1744-8-0x0000000000400000-0x0000000000485000-memory.dmp family_agenttesla behavioral1/memory/1744-9-0x0000000000400000-0x0000000000485000-memory.dmp family_agenttesla behavioral1/memory/1744-23-0x0000000000400000-0x0000000000485000-memory.dmp family_agenttesla behavioral1/memory/1744-24-0x0000000000400000-0x0000000000485000-memory.dmp family_agenttesla behavioral1/memory/1744-25-0x0000000000400000-0x0000000000485000-memory.dmp family_agenttesla -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral1/memory/1744-12-0x0000000000400000-0x0000000000485000-memory.dmp upx behavioral1/memory/1744-8-0x0000000000400000-0x0000000000485000-memory.dmp upx behavioral1/memory/1744-7-0x0000000000400000-0x0000000000485000-memory.dmp upx behavioral1/memory/1744-9-0x0000000000400000-0x0000000000485000-memory.dmp upx behavioral1/memory/1744-4-0x0000000000400000-0x0000000000485000-memory.dmp upx -
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV 493178246.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV 493178246.exe Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV 493178246.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" INV 493178246.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2108 set thread context of 1744 2108 INV 493178246.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INV 493178246.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language INV 493178246.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2108 INV 493178246.exe 1744 INV 493178246.exe 1744 INV 493178246.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 2108 INV 493178246.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 1744 INV 493178246.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1744 INV 493178246.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2108 wrote to memory of 1744 2108 INV 493178246.exe 30 PID 2108 wrote to memory of 1744 2108 INV 493178246.exe 30 PID 2108 wrote to memory of 1744 2108 INV 493178246.exe 30 PID 2108 wrote to memory of 1744 2108 INV 493178246.exe 30 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV 493178246.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 INV 493178246.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\INV 493178246.exe"C:\Users\Admin\AppData\Local\Temp\INV 493178246.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Users\Admin\AppData\Local\Temp\INV 493178246.exe"C:\Users\Admin\AppData\Local\Temp\INV 493178246.exe"2⤵
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:1744
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1