Analysis
-
max time kernel
138s -
max time network
81s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 14:28
Static task
static1
Behavioral task
behavioral1
Sample
hf3cTSc1CVm268N.exe
Resource
win7
Behavioral task
behavioral2
Sample
hf3cTSc1CVm268N.exe
Resource
win10v200430
General
-
Target
hf3cTSc1CVm268N.exe
-
Size
436KB
-
MD5
5e4518fbae6a46e0a54f8ac692228635
-
SHA1
d4d2a3292d21280cdbd1cb60da182e8a266d22d3
-
SHA256
be34c89f025f7c0309049f197eb3c50402094440bb8f83cc554975c674ad304d
-
SHA512
47a5c77e4bfac853e97e31cb71cc4196612c63898e9245dac59c78a5e182f2adc9b789ce28195bc5d06ac335664c08da22d0026380f7b30e1b17fb51870c995c
Malware Config
Extracted
Protocol: smtp- Host:
mail.prismindia.in - Port:
587 - Username:
gold@prismindia.in - Password:
Stencil1@
Extracted
agenttesla
Protocol: smtp- Host:
mail.prismindia.in - Port:
587 - Username:
gold@prismindia.in - Password:
Stencil1@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2236-0-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral2/memory/2236-1-0x000000000044B07E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
hf3cTSc1CVm268N.exedescription pid process target process PID 3656 set thread context of 2236 3656 hf3cTSc1CVm268N.exe hf3cTSc1CVm268N.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
hf3cTSc1CVm268N.exepid process 2236 hf3cTSc1CVm268N.exe 2236 hf3cTSc1CVm268N.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
hf3cTSc1CVm268N.exedescription pid process Token: SeDebugPrivilege 2236 hf3cTSc1CVm268N.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
hf3cTSc1CVm268N.exehf3cTSc1CVm268N.exedescription pid process target process PID 3656 wrote to memory of 2236 3656 hf3cTSc1CVm268N.exe hf3cTSc1CVm268N.exe PID 3656 wrote to memory of 2236 3656 hf3cTSc1CVm268N.exe hf3cTSc1CVm268N.exe PID 3656 wrote to memory of 2236 3656 hf3cTSc1CVm268N.exe hf3cTSc1CVm268N.exe PID 3656 wrote to memory of 2236 3656 hf3cTSc1CVm268N.exe hf3cTSc1CVm268N.exe PID 3656 wrote to memory of 2236 3656 hf3cTSc1CVm268N.exe hf3cTSc1CVm268N.exe PID 3656 wrote to memory of 2236 3656 hf3cTSc1CVm268N.exe hf3cTSc1CVm268N.exe PID 3656 wrote to memory of 2236 3656 hf3cTSc1CVm268N.exe hf3cTSc1CVm268N.exe PID 3656 wrote to memory of 2236 3656 hf3cTSc1CVm268N.exe hf3cTSc1CVm268N.exe PID 2236 wrote to memory of 4008 2236 hf3cTSc1CVm268N.exe netsh.exe PID 2236 wrote to memory of 4008 2236 hf3cTSc1CVm268N.exe netsh.exe PID 2236 wrote to memory of 4008 2236 hf3cTSc1CVm268N.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\hf3cTSc1CVm268N.exe"C:\Users\Admin\AppData\Local\Temp\hf3cTSc1CVm268N.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hf3cTSc1CVm268N.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\hf3cTSc1CVm268N.exe.logMD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c
-
memory/2236-0-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/2236-1-0x000000000044B07E-mapping.dmp
-
memory/4008-5-0x0000000000000000-mapping.dmp