Analysis
-
max time kernel
4s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01-07-2024 01:29
Static task
static1
Behavioral task
behavioral1
Sample
1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe
Resource
win7-20240508-en
General
-
Target
1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe
-
Size
2.2MB
-
MD5
31cbb0ad4fbff526978c68212a36fb90
-
SHA1
d5cbdd8f03037a73dd40c0819498c969ae5b9102
-
SHA256
1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b
-
SHA512
3f8e80aa86d486eacf4336b6a0a8f9c997de33a7ae1da5a1637e99fc168e0c4c8c1a9324b3c9bb69ce74d3529a881931234f45764d8f46810d820fb5629414a5
-
SSDEEP
49152:eF50a6aPVOFMx3SmroCZscivbS6mqxEWoKmqZJffp3vSsqPUCeaw1GANOmJA:croA7P/YJ
Malware Config
Extracted
xworm
5.0
195.10.205.94:7725
rliv2fMggtmcxYMM
-
Install_directory
%AppData%
-
install_file
XClient.exe
Extracted
agenttesla
Protocol: smtp- Host:
s82.gocheapweb.com - Port:
587 - Username:
[email protected] - Password:
london@1759 - Email To:
[email protected]
Extracted
redline
foz
209.90.234.57:1913
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2708-3-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2708-5-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2708-1-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2708-27-0x00000000067C0000-0x0000000006812000-memory.dmp family_redline -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2692 powershell.exe 2732 powershell.exe 2760 powershell.exe 2768 powershell.exe -
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 api.ipify.org 8 api.ipify.org 9 api.ipify.org 10 api.ipify.org 12 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exedescription pid process target process PID 1688 set thread context of 2708 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe CasPol.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
CasPol.exedescription pid process Token: SeDebugPrivilege 2708 CasPol.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exeCasPol.exedescription pid process target process PID 1688 wrote to memory of 2300 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe jsc.exe PID 1688 wrote to memory of 2300 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe jsc.exe PID 1688 wrote to memory of 2300 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe jsc.exe PID 1688 wrote to memory of 2300 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe jsc.exe PID 1688 wrote to memory of 2300 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe jsc.exe PID 1688 wrote to memory of 2708 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe CasPol.exe PID 1688 wrote to memory of 2708 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe CasPol.exe PID 1688 wrote to memory of 2708 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe CasPol.exe PID 1688 wrote to memory of 2708 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe CasPol.exe PID 1688 wrote to memory of 2708 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe CasPol.exe PID 1688 wrote to memory of 2708 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe CasPol.exe PID 1688 wrote to memory of 2708 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe CasPol.exe PID 1688 wrote to memory of 2708 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe CasPol.exe PID 1688 wrote to memory of 2708 1688 1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe CasPol.exe PID 2708 wrote to memory of 2732 2708 CasPol.exe powershell.exe PID 2708 wrote to memory of 2732 2708 CasPol.exe powershell.exe PID 2708 wrote to memory of 2732 2708 CasPol.exe powershell.exe PID 2708 wrote to memory of 2732 2708 CasPol.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe"C:\Users\Admin\AppData\Local\Temp\1669d57e8c83d0666c86fafcd484a5fd158c995a58ad9a6855c56d849c00b40b.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'CasPol.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD568995f5bd2f6581dd7c7288b1547ba86
SHA13b1c8a2ca8215cc78e5017a80cc898f310d16857
SHA2560b379f3a872af073da85e5bfdea1140c028c15da5144326be7525d092ef0076a
SHA51243ee7654d781834ffd3a6c8b9529e37dbbad235b5ed90135d836ebc13daceaa6f9ce87d51a7ec754b6630ea1b40b8b061e7966a6ed775f8601666b4b0e1bfd7f
-
memory/2708-3-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2708-5-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2708-6-0x000000007434E000-0x000000007434F000-memory.dmpFilesize
4KB
-
memory/2708-1-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2708-25-0x0000000074340000-0x0000000074A2E000-memory.dmpFilesize
6.9MB
-
memory/2708-26-0x0000000005060000-0x00000000050A2000-memory.dmpFilesize
264KB
-
memory/2708-27-0x00000000067C0000-0x0000000006812000-memory.dmpFilesize
328KB
-
memory/2708-28-0x00000000068B0000-0x00000000068F4000-memory.dmpFilesize
272KB
-
memory/2708-29-0x000000007434E000-0x000000007434F000-memory.dmpFilesize
4KB
-
memory/2708-30-0x0000000074340000-0x0000000074A2E000-memory.dmpFilesize
6.9MB