Analysis
-
max time kernel
148s -
max time network
33s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-06-2020 15:09
Static task
static1
Behavioral task
behavioral1
Sample
RERESHIPPING DOCUMENTS.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RERESHIPPING DOCUMENTS.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
RERESHIPPING DOCUMENTS.exe
-
Size
1.4MB
-
MD5
4b84df939fc77afc1ea99bbe2c78ba71
-
SHA1
cead340d7a594ab1384888fe6232f4797b973a41
-
SHA256
cd77bc5bc1a62f613db72dca020f3fb093577ae47eb74917baba6a69f1a07389
-
SHA512
acfbc642c290e297e543aa99b935fa9f8f3e49ce45d3b43f6edf6fe0b68baaea13484c7c82cbf73a0ab0f4ef0913b012e0c6b684a5e4cf462dac50b16e479a97
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.deepakengineers.co.in - Port:
587 - Username:
info@deepakengineers.co.in - Password:
rubina@@123*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1012-0-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1012-1-0x000000000044CA6E-mapping.dmp family_agenttesla behavioral1/memory/1012-2-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RERESHIPPING DOCUMENTS.exedescription pid process target process PID 1400 set thread context of 1012 1400 RERESHIPPING DOCUMENTS.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
MSBuild.exeRERESHIPPING DOCUMENTS.exepid process 1012 MSBuild.exe 1012 MSBuild.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1012 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
RERESHIPPING DOCUMENTS.exepid process 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
RERESHIPPING DOCUMENTS.exepid process 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe 1400 RERESHIPPING DOCUMENTS.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1012 MSBuild.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
RERESHIPPING DOCUMENTS.exeMSBuild.exedescription pid process target process PID 1400 wrote to memory of 1012 1400 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 1400 wrote to memory of 1012 1400 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 1400 wrote to memory of 1012 1400 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 1400 wrote to memory of 1012 1400 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 1400 wrote to memory of 1012 1400 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 1400 wrote to memory of 1012 1400 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 1012 wrote to memory of 320 1012 MSBuild.exe netsh.exe PID 1012 wrote to memory of 320 1012 MSBuild.exe netsh.exe PID 1012 wrote to memory of 320 1012 MSBuild.exe netsh.exe PID 1012 wrote to memory of 320 1012 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RERESHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\RERESHIPPING DOCUMENTS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵