Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
16-09-2024 00:58
Static task
static1
Behavioral task
behavioral1
Sample
Euro 11,600..Bankasi.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Euro 11,600..Bankasi.exe
Resource
win10v2004-20240802-en
General
-
Target
Euro 11,600..Bankasi.exe
-
Size
446KB
-
MD5
ad58a309226967471f0573a65e1c02f2
-
SHA1
95e0e2e3e1a1415f631c7bc4a361731b1022e388
-
SHA256
06face53825c51be55c3ad20e23c5d4c4f8714208c7edbc96ec3b3999665df46
-
SHA512
1e62fd1c2a3000399d364ed8e959f84fbc12ee26d4f3bb227a6535bf95b83b9d4e42564f3f3f025ec085fcf8988aadae44db7c4cd5173f136c0e5625898fbb1a
-
SSDEEP
6144:bC5Mh4dvj2CYhwPDNJvQFeuTEnlNdZPKg9odoin+f79s9ejSXEiXElkHanM53:Th4dvtlDNJvQ4uIbdQd7+KMmEiXtc
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.guthrie.com.sg - Port:
587 - Username:
[email protected] - Password:
gut.com.sg
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla payload 5 IoCs
resource yara_rule behavioral1/memory/2700-17-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/2700-21-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/2700-19-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/2700-13-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/2700-11-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Euro 11,600..Bankasi.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Euro 11,600..Bankasi.exe Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Euro 11,600..Bankasi.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1196 set thread context of 2700 1196 Euro 11,600..Bankasi.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Euro 11,600..Bankasi.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Euro 11,600..Bankasi.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2260 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2700 Euro 11,600..Bankasi.exe 2700 Euro 11,600..Bankasi.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2700 Euro 11,600..Bankasi.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1196 wrote to memory of 2260 1196 Euro 11,600..Bankasi.exe 30 PID 1196 wrote to memory of 2260 1196 Euro 11,600..Bankasi.exe 30 PID 1196 wrote to memory of 2260 1196 Euro 11,600..Bankasi.exe 30 PID 1196 wrote to memory of 2260 1196 Euro 11,600..Bankasi.exe 30 PID 1196 wrote to memory of 2700 1196 Euro 11,600..Bankasi.exe 32 PID 1196 wrote to memory of 2700 1196 Euro 11,600..Bankasi.exe 32 PID 1196 wrote to memory of 2700 1196 Euro 11,600..Bankasi.exe 32 PID 1196 wrote to memory of 2700 1196 Euro 11,600..Bankasi.exe 32 PID 1196 wrote to memory of 2700 1196 Euro 11,600..Bankasi.exe 32 PID 1196 wrote to memory of 2700 1196 Euro 11,600..Bankasi.exe 32 PID 1196 wrote to memory of 2700 1196 Euro 11,600..Bankasi.exe 32 PID 1196 wrote to memory of 2700 1196 Euro 11,600..Bankasi.exe 32 PID 1196 wrote to memory of 2700 1196 Euro 11,600..Bankasi.exe 32 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Euro 11,600..Bankasi.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 Euro 11,600..Bankasi.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Euro 11,600..Bankasi.exe"C:\Users\Admin\AppData\Local\Temp\Euro 11,600..Bankasi.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\evirTHUKyc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA563.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2260
-
-
C:\Users\Admin\AppData\Local\Temp\Euro 11,600..Bankasi.exe"{path}"2⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
5Credentials In Files
4Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57f00f6abac6e450c71e1af451c1d2045
SHA18a161f996f4be89e3392e3014a98e6549e0f88c5
SHA2562a63f4327c3e8334da36279b5a48510511190c0562ecdd6666161a74a8cebaff
SHA512a43e2b215a741f440cddc7a99fd19ca9cb213e81c19fddb11e490ec31366ca6faeebe4ad9e83ba6959f636023b6adcf18d2d05425c167ba8bbee444f533262f0