Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07/10/2024, 09:30 UTC
Behavioral task
behavioral1
Sample
final_payload.exe
Resource
win7-20240903-en
General
-
Target
final_payload.exe
-
Size
237KB
-
MD5
98ca5c0430d77e315958f9d9c1d1d11d
-
SHA1
4039ec85d1b8ab79275d0d1973a7ed2189430475
-
SHA256
f1ef036b61d724edf304d171e67d4bd3faf0d27abd5486ae0893843a5464ed9b
-
SHA512
4a30276ac8ac30453a2e048dd014d1ce180c4ccf3c07dd143f3f520695e81568011e91933d0bbfa0b1f46c0377dffa10bec43cf28292b215a7174e9c22d25ba4
-
SSDEEP
3072:8S6yayKFhMvis4Kj62BIoR0Ea5t9H5aabLEJUb:8S6yayKF+vTDfIoR0Ea5t9E8LM
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mohawatradingco.com - Port:
587 - Username:
bi@mohawatradingco.com - Password:
mohawatradingco.com - Email To:
biz@mohawatradingco.com
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 4 ip-api.com -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language final_payload.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3028 final_payload.exe 3028 final_payload.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3028 final_payload.exe
Processes
Network
-
Remote address:8.8.8.8:53Requestip-api.comIN AResponseip-api.comIN A208.95.112.1
-
Remote address:208.95.112.1:80RequestGET /line/?fields=hosting HTTP/1.1
Host: ip-api.com
Connection: Keep-Alive
ResponseHTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 5
Access-Control-Allow-Origin: *
X-Ttl: 52
X-Rl: 43
-
310 B 346 B 5 4
HTTP Request
GET http://ip-api.com/line/?fields=hostingHTTP Response
200