Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 11:43
General
-
Target
Wire slip account payable.pif.exe
-
Size
666KB
-
MD5
8f942f19242779ce2a16373221d5590a
-
SHA1
ef9a11fd0d62a51b4f561fe6b2f88505655ca90b
-
SHA256
38d921d063a0fb892086121bb34180b2a930819788a3e34a0d2f65224142d930
-
SHA512
50216249d3f120ea64e377bb3acd27edf4bef502d5cb4b83c3ab6974160dec4d7361cc5579f4e828403a2c3ed1cfcd926f64cab426758be84925a50b6e827947
-
SSDEEP
12288:FA6/s0yDmWpn5La3GDbFT0W84mJKIfr/vJmsqXzfnXqO36wxYKBb2jXkR:pNSLIGF0WADI3znXqRwqKBaC
Malware Config
Extracted
agenttesla
https://api.telegram.org/bot7180778750:AAGcpZL53RI1C6DEr2Yp4lM3UKxKArXTZ4I/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Agenttesla family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 20 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wire slip account payable.pif.exe"C:\Users\Admin\AppData\Local\Temp\Wire slip account payable.pif.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Wire slip account payable.pif.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\CYngmVGIUKXVQ.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\CYngmVGIUKXVQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1E8F.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Local\Temp\Wire slip account payable.pif.exe"C:\Users\Admin\AppData\Local\Temp\Wire slip account payable.pif.exe"2⤵
-
-
C:\Users\Admin\AppData\Local\Temp\Wire slip account payable.pif.exe"C:\Users\Admin\AppData\Local\Temp\Wire slip account payable.pif.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
3Credentials in Registry
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD53d086a433708053f9bf9523e1d87a4e8
SHA1b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28
SHA2566f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69
SHA512931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd
-
Filesize
18KB
MD5cf58bc51e125b75b25b78e6cbef3b692
SHA11b19198969e6dbcc6d053bfe0b6f9856609bc893
SHA256fcf35781d77296ec43e0a655c138bf34dd9cd549f0f34882fae45db9eb8ce3d8
SHA51291e7a617b0674fd2de054d1dc926fddc42092496ac3ea0fb3a1cc4b6c023f39ca58bfeaf1675ca8fda9a3b7e9ba7ceacca751febbd88b01b6a9d1b5c2dd3e5fb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5d9ab594e7331be99a812e26a5ae7a04d
SHA1f12d414ab25fdf20f1638e42175adf167417ff36
SHA2564cd5564f9b82b115f8420cd5482dc7320bd8aa9f1e03776377b70cdf279bc4b3
SHA51297f879e90aa44ba9b979ab38e85eed62e82513e9620fe94a281d7565d3f366fa6e0dac224858e989f2415d43778e072239a0e5f6a0a8cb2fa0e25088d36f7e86
-
Filesize
200KB
-
Filesize
216KB
-
Filesize
7.7MB
-
Filesize
3.3MB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
652KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
6.2MB
-
Filesize
7.7MB
-
Filesize
136KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
680KB
-
Filesize
4KB
-
Filesize
544KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
320KB
-
Filesize
272KB
-
Filesize
7.7MB
-
Filesize
304KB
-
Filesize
104KB
-
Filesize
6.5MB
-
Filesize
40KB
-
Filesize
600KB
-
Filesize
68KB
-
Filesize
56KB
-
Filesize
80KB
-
Filesize
104KB
-
Filesize
32KB
-
Filesize
120KB
-
Filesize
304KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB