Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
15-11-2024 02:06
Static task
static1
Behavioral task
behavioral1
Sample
227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe
Resource
win7-20240903-en
General
-
Target
227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe
-
Size
3.6MB
-
MD5
8b93d5bdb968ac5529e2e3b7d8f48e0f
-
SHA1
3150827afacd8d45f48afd8303e1cb87db065b0f
-
SHA256
227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610
-
SHA512
c5947a0a9c73a9792ab850a7a27991bdd27481ed8354d6c6b919e5c63ea7ce18b9bc5b6d4a9a59f8ad4640b243812e859e4e41500c7e7c3a64bb416bc5855ca0
-
SSDEEP
98304:LABhsWLl2oOvpJwg0K2c/iiWOvpJwg0K2c/ii:a2pwPcHrwPcH
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
162.254.34.31 - Port:
587 - Username:
[email protected] - Password:
M992uew1mw6Z - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.ipify.org 5 api.ipify.org -
Suspicious use of SetThreadContext 1 IoCs
Processes:
227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exedescription pid Process procid_target PID 2100 set thread context of 2544 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe 30 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exeregasm.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regasm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
regasm.exepid Process 2544 regasm.exe 2544 regasm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exepid Process 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
regasm.exedescription pid Process Token: SeDebugPrivilege 2544 regasm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exepid Process 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exedescription pid Process procid_target PID 2100 wrote to memory of 2544 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe 30 PID 2100 wrote to memory of 2544 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe 30 PID 2100 wrote to memory of 2544 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe 30 PID 2100 wrote to memory of 2544 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe 30 PID 2100 wrote to memory of 2544 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe 30 PID 2100 wrote to memory of 2544 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe 30 PID 2100 wrote to memory of 2544 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe 30 PID 2100 wrote to memory of 2544 2100 227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe"C:\Users\Admin\AppData\Local\Temp\227573efd0eb09e333ed2931be435e2d85da66868f4d7827d6f50db3a3005610.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2544
-