Analysis
-
max time kernel
147s -
max time network
62s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 14:58
Static task
static1
Behavioral task
behavioral1
Sample
PURCHASE ORDER.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
PURCHASE ORDER.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
PURCHASE ORDER.exe
-
Size
1.4MB
-
MD5
f315ec23b5a581845fea692174b46232
-
SHA1
bf9b4f795cdca74ec362017a5fe553e9997ee3f8
-
SHA256
bca37ddb3330991ff40fdc9462eebaf28b8cca2ee0a3c89b4102517c77d2dae8
-
SHA512
a5dbec7eb97491162cff8a7aa27f039023700e0298a87fde32e6e71421006ffd010e979e10b0cec8b089dc3add8e7080c8dea5a93424a47d2cbc29790859391e
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
dave.tecoman@yandex.com - Password:
General101
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1812-0-0x0000000000180000-0x00000000001D2000-memory.dmp family_agenttesla behavioral2/memory/1812-1-0x00000000001CC44E-mapping.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
PURCHASE ORDER.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sdbinst.url PURCHASE ORDER.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PURCHASE ORDER.exedescription pid process target process PID 4024 set thread context of 1812 4024 PURCHASE ORDER.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
MSBuild.exePURCHASE ORDER.exepid process 1812 MSBuild.exe 1812 MSBuild.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1812 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
PURCHASE ORDER.exepid process 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
PURCHASE ORDER.exepid process 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe 4024 PURCHASE ORDER.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PURCHASE ORDER.exeMSBuild.exedescription pid process target process PID 4024 wrote to memory of 1812 4024 PURCHASE ORDER.exe MSBuild.exe PID 4024 wrote to memory of 1812 4024 PURCHASE ORDER.exe MSBuild.exe PID 4024 wrote to memory of 1812 4024 PURCHASE ORDER.exe MSBuild.exe PID 4024 wrote to memory of 1812 4024 PURCHASE ORDER.exe MSBuild.exe PID 4024 wrote to memory of 1812 4024 PURCHASE ORDER.exe MSBuild.exe PID 1812 wrote to memory of 1672 1812 MSBuild.exe netsh.exe PID 1812 wrote to memory of 1672 1812 MSBuild.exe netsh.exe PID 1812 wrote to memory of 1672 1812 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"C:\Users\Admin\AppData\Local\Temp\PURCHASE ORDER.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵