Analysis
-
max time kernel
122s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
22-09-2024 17:25
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.FileRepMalware.19940.26551.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
SecuriteInfo.com.FileRepMalware.19940.26551.exe
Resource
win10v2004-20240802-en
General
-
Target
SecuriteInfo.com.FileRepMalware.19940.26551.exe
-
Size
1.1MB
-
MD5
e4df42ee6fd39d7ef3cb767571a3d9cf
-
SHA1
bc9db1db251e96c25d495ecf7eaeccc0b682a2aa
-
SHA256
6460c253f6d9b12b4598caca091e84040c80a929cae2997f0c9eb11c2897a1f0
-
SHA512
65da7053e550a573f0a5447efb20d478aa51ed0e509e6af3dbc1ad6cfa255a0e41817fd9c80ec2b2e08ecd6765448b4a0ab833f97fb141c01965b46fbf618075
-
SSDEEP
24576:uRmJkcoQricOIQxiZY1iaCkSyjflIANDV/qlFswQjzJwBPvAZnpm:7JZoQrbTFZY1iaCkSyj+AND1mFNuwBnd
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
3^?r?mtxk(kt - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2108 set thread context of 2064 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SecuriteInfo.com.FileRepMalware.19940.26551.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2064 RegSvcs.exe 2064 RegSvcs.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2064 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2108 wrote to memory of 2064 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe 30 PID 2108 wrote to memory of 2064 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe 30 PID 2108 wrote to memory of 2064 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe 30 PID 2108 wrote to memory of 2064 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe 30 PID 2108 wrote to memory of 2064 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe 30 PID 2108 wrote to memory of 2064 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe 30 PID 2108 wrote to memory of 2064 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe 30 PID 2108 wrote to memory of 2064 2108 SecuriteInfo.com.FileRepMalware.19940.26551.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.19940.26551.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.19940.26551.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.FileRepMalware.19940.26551.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-