Analysis
-
max time kernel
139s -
max time network
141s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 15:09
General
-
Target
003837828.exe
-
Size
1.4MB
-
MD5
88c4d1dc3561ecc79ce1805006a46a03
-
SHA1
c7a4c9e513e22e9dcae05f5e25ccf3b96fb613b3
-
SHA256
a4ae21742866df21e5b94b11a9384eb72393c38a8d49fc9fa786298b3a406710
-
SHA512
c29dd21db6789c4de1132b6605be35f4e796cb0aa16cf0f8d7383f0eba49b55decf7cbf516b83b476724fde271a1617f4328cfbea7919acadb7f770cf3a0e432
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.seagull.com.pk - Port:
587 - Username:
seagull@seagull.com.pk - Password:
SyeD@1969
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 16 IoCs
-
Drops startup file 1 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Program crash 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\003837828.exe"C:\Users\Admin\AppData\Local\Temp\003837828.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3860 -s 243⤵
- Program crash
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4000 -s 14803⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2164-5-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/2448-13-0x00000000047A0000-0x00000000047A1000-memory.dmpFilesize
4KB
-
memory/2448-26-0x0000000004EE0000-0x0000000004EE1000-memory.dmpFilesize
4KB
-
memory/3860-1-0x0000000000847B6E-mapping.dmp
-
memory/3860-6-0x0000000000410000-0x0000000000411000-memory.dmpFilesize
4KB
-
memory/3860-0-0x0000000000800000-0x000000000084C000-memory.dmpFilesize
304KB
-
memory/4000-17-0x00000000007B7B6E-mapping.dmp
-
memory/4000-20-0x00000000007B7B6E-mapping.dmp
-
memory/4000-14-0x00000000007B7B6E-mapping.dmp
-
memory/4000-16-0x00000000007B7B6E-mapping.dmp
-
memory/4000-9-0x00000000007B7B6E-mapping.dmp
-
memory/4000-18-0x00000000007B7B6E-mapping.dmp
-
memory/4000-19-0x00000000007B7B6E-mapping.dmp
-
memory/4000-15-0x00000000007B7B6E-mapping.dmp
-
memory/4000-21-0x00000000007B7B6E-mapping.dmp
-
memory/4000-22-0x00000000007B7B6E-mapping.dmp
-
memory/4000-23-0x00000000007B7B6E-mapping.dmp
-
memory/4000-24-0x00000000007B7B6E-mapping.dmp
-
memory/4000-25-0x00000000007B7B6E-mapping.dmp
-
memory/4000-8-0x0000000000770000-0x00000000007BC000-memory.dmpFilesize
304KB