Analysis
-
max time kernel
118s -
max time network
125s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 13:37
Static task
static1
Behavioral task
behavioral1
Sample
02_extracted.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
02_extracted.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
02_extracted.exe
-
Size
1.4MB
-
MD5
aa6b21d6aba228278fbd1241622fcf58
-
SHA1
989ebf5b8719cfc24f01168f21f4d1183bc476ad
-
SHA256
e149a102d8d46f836240231143538c91f2d4bf6f4dc37fbd3cc20d0813ddcdb8
-
SHA512
ccc4f4a07f4913d3a87822622e94b00510a481487b72a1621c0e587c9b31d56f2819f545d2a63456e79424ac2ec72bcd0ace8d6e63d1670bb508060c796b3426
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
flexo.verat.net - Port:
587 - Username:
olalekan@afc.rs - Password:
lekan@123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/596-0-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/596-1-0x000000000044DA2E-mapping.dmp family_agenttesla behavioral1/memory/596-2-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
02_extracted.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\UpdateNotificationMgr.url 02_extracted.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
02_extracted.exedescription pid process target process PID 896 set thread context of 596 896 02_extracted.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
02_extracted.exeMSBuild.exepid process 896 02_extracted.exe 896 02_extracted.exe 596 MSBuild.exe 596 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 596 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
02_extracted.exepid process 896 02_extracted.exe 896 02_extracted.exe 896 02_extracted.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
02_extracted.exepid process 896 02_extracted.exe 896 02_extracted.exe 896 02_extracted.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 596 MSBuild.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
02_extracted.exeMSBuild.exedescription pid process target process PID 896 wrote to memory of 596 896 02_extracted.exe MSBuild.exe PID 896 wrote to memory of 596 896 02_extracted.exe MSBuild.exe PID 896 wrote to memory of 596 896 02_extracted.exe MSBuild.exe PID 896 wrote to memory of 596 896 02_extracted.exe MSBuild.exe PID 896 wrote to memory of 596 896 02_extracted.exe MSBuild.exe PID 896 wrote to memory of 596 896 02_extracted.exe MSBuild.exe PID 596 wrote to memory of 1816 596 MSBuild.exe netsh.exe PID 596 wrote to memory of 1816 596 MSBuild.exe netsh.exe PID 596 wrote to memory of 1816 596 MSBuild.exe netsh.exe PID 596 wrote to memory of 1816 596 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\02_extracted.exe"C:\Users\Admin\AppData\Local\Temp\02_extracted.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵