Analysis
-
max time kernel
148s -
max time network
68s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 15:09
Static task
static1
Behavioral task
behavioral1
Sample
RERESHIPPING DOCUMENTS.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RERESHIPPING DOCUMENTS.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
RERESHIPPING DOCUMENTS.exe
-
Size
1.4MB
-
MD5
4b84df939fc77afc1ea99bbe2c78ba71
-
SHA1
cead340d7a594ab1384888fe6232f4797b973a41
-
SHA256
cd77bc5bc1a62f613db72dca020f3fb093577ae47eb74917baba6a69f1a07389
-
SHA512
acfbc642c290e297e543aa99b935fa9f8f3e49ce45d3b43f6edf6fe0b68baaea13484c7c82cbf73a0ab0f4ef0913b012e0c6b684a5e4cf462dac50b16e479a97
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.deepakengineers.co.in - Port:
587 - Username:
info@deepakengineers.co.in - Password:
rubina@@123*
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.deepakengineers.co.in - Port:
587 - Username:
info@deepakengineers.co.in - Password:
rubina@@123*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/644-0-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral2/memory/644-1-0x000000000044CA6E-mapping.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RERESHIPPING DOCUMENTS.exedescription pid process target process PID 428 set thread context of 644 428 RERESHIPPING DOCUMENTS.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
MSBuild.exeRERESHIPPING DOCUMENTS.exepid process 644 MSBuild.exe 644 MSBuild.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 644 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
RERESHIPPING DOCUMENTS.exepid process 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
RERESHIPPING DOCUMENTS.exepid process 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe 428 RERESHIPPING DOCUMENTS.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 644 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
RERESHIPPING DOCUMENTS.exeMSBuild.exedescription pid process target process PID 428 wrote to memory of 644 428 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 428 wrote to memory of 644 428 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 428 wrote to memory of 644 428 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 428 wrote to memory of 644 428 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 428 wrote to memory of 644 428 RERESHIPPING DOCUMENTS.exe MSBuild.exe PID 644 wrote to memory of 3476 644 MSBuild.exe netsh.exe PID 644 wrote to memory of 3476 644 MSBuild.exe netsh.exe PID 644 wrote to memory of 3476 644 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RERESHIPPING DOCUMENTS.exe"C:\Users\Admin\AppData\Local\Temp\RERESHIPPING DOCUMENTS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵