Analysis
-
max time kernel
93s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 01:49
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7-20240729-en
General
-
Target
RFQ.exe
-
Size
2.1MB
-
MD5
388cda6f9ff919c387e097bd12538c7c
-
SHA1
1ab6a7ede3eeb8c4a99f0176e42fb5f6950842bf
-
SHA256
0183ba97dbe99cfbc5aa2966de3239d27bb7d14cab59bc2fb9d268645b475fbc
-
SHA512
77bc4335af3c69fae5762569b0207a038d2abedb907706214fb2210d1dd00db09055c240873a8c638a5f1b7eee74517af2e7f56677de940d43a53da5b88299ac
-
SSDEEP
12288:pFv5TD20phWGTZoH6NE+B1rFVoiYYQdjgLytJRA0VlxTQ6u:7h2ibTKQPvQdjgKVl1Q6u
Malware Config
Extracted
Protocol: smtp- Host:
mail.alhoneycomb.com - Port:
587 - Username:
[email protected] - Password:
WORTHwill3611!
Extracted
agenttesla
Protocol: smtp- Host:
mail.alhoneycomb.com - Port:
587 - Username:
[email protected] - Password:
WORTHwill3611! - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ.exedescription pid Process procid_target PID 1716 set thread context of 3684 1716 RFQ.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
AddInProcess32.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
AddInProcess32.exepid Process 3684 AddInProcess32.exe 3684 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
RFQ.exeAddInProcess32.exedescription pid Process Token: SeDebugPrivilege 1716 RFQ.exe Token: SeDebugPrivilege 3684 AddInProcess32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
AddInProcess32.exepid Process 3684 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
RFQ.exedescription pid Process procid_target PID 1716 wrote to memory of 3684 1716 RFQ.exe 84 PID 1716 wrote to memory of 3684 1716 RFQ.exe 84 PID 1716 wrote to memory of 3684 1716 RFQ.exe 84 PID 1716 wrote to memory of 3684 1716 RFQ.exe 84 PID 1716 wrote to memory of 3684 1716 RFQ.exe 84 PID 1716 wrote to memory of 3684 1716 RFQ.exe 84 PID 1716 wrote to memory of 3684 1716 RFQ.exe 84 PID 1716 wrote to memory of 3684 1716 RFQ.exe 84 PID 1716 wrote to memory of 2884 1716 RFQ.exe 85 PID 1716 wrote to memory of 2884 1716 RFQ.exe 85 PID 1716 wrote to memory of 2884 1716 RFQ.exe 85
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3684
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"2⤵PID:2884
-