Analysis
-
max time kernel
143s -
max time network
25s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 14:58
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PURCHASE ORDER.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
PURCHASE ORDER.exe
-
Size
1.4MB
-
MD5
f315ec23b5a581845fea692174b46232
-
SHA1
bf9b4f795cdca74ec362017a5fe553e9997ee3f8
-
SHA256
bca37ddb3330991ff40fdc9462eebaf28b8cca2ee0a3c89b4102517c77d2dae8
-
SHA512
a5dbec7eb97491162cff8a7aa27f039023700e0298a87fde32e6e71421006ffd010e979e10b0cec8b089dc3add8e7080c8dea5a93424a47d2cbc29790859391e
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
dave.tecoman@yandex.com - Password:
General101
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1196-0-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1196-1-0x000000000044C44E-mapping.dmp family_agenttesla behavioral1/memory/1196-2-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
PURCHASE ORDER.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdbinst.url PURCHASE ORDER.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 832 set thread context of 1196 832 PURCHASE ORDER.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
MSBuild.exePURCHASE ORDER.exepid process 1196 MSBuild.exe 1196 MSBuild.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1196 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
PURCHASE ORDER.exepid process 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
PURCHASE ORDER.exepid process 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe 832 PURCHASE ORDER.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
PURCHASE ORDER.exeMSBuild.exedescription pid process target process PID 832 wrote to memory of 1196 832 PURCHASE ORDER.exe MSBuild.exe PID 832 wrote to memory of 1196 832 PURCHASE ORDER.exe MSBuild.exe PID 832 wrote to memory of 1196 832 PURCHASE ORDER.exe MSBuild.exe PID 832 wrote to memory of 1196 832 PURCHASE ORDER.exe MSBuild.exe PID 832 wrote to memory of 1196 832 PURCHASE ORDER.exe MSBuild.exe PID 832 wrote to memory of 1196 832 PURCHASE ORDER.exe MSBuild.exe PID 1196 wrote to memory of 1624 1196 MSBuild.exe netsh.exe PID 1196 wrote to memory of 1624 1196 MSBuild.exe netsh.exe PID 1196 wrote to memory of 1624 1196 MSBuild.exe netsh.exe PID 1196 wrote to memory of 1624 1196 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵