Analysis
-
max time kernel
147s -
max time network
147s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
Quotation062821920 Doc.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Quotation062821920 Doc.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Quotation062821920 Doc.exe
-
Size
1.4MB
-
MD5
28790f7b37df5c55d19af17fe5c26e90
-
SHA1
ebe03b0be96acbf76a32aaa8f99fb0b80050ba92
-
SHA256
288e0e5c83a6fbde926189bf71e44dcb7a6516f726cc5985c28a4c3c4499f30a
-
SHA512
42bcf63a192ff93fa86ad1dd07896162be384e9a41bf8924956ae0ec86346c565245ea3e828f07e7802494c5e05ef52ca7e0abdd9e07cc570e740b01ea32c891
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.oneirochemicals.net - Port:
587 - Username:
qa@oneirochemicals.net - Password:
One$1234
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.oneirochemicals.net - Port:
587 - Username:
qa@oneirochemicals.net - Password:
One$1234
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2800-0-0x0000000000400000-0x000000000044E000-memory.dmp family_agenttesla behavioral2/memory/2800-1-0x0000000000448CBE-mapping.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation062821920 Doc.exedescription pid process target process PID 3868 set thread context of 2800 3868 Quotation062821920 Doc.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Quotation062821920 Doc.exeMSBuild.exepid process 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 2800 MSBuild.exe 2800 MSBuild.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 2800 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Quotation062821920 Doc.exepid process 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Quotation062821920 Doc.exepid process 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe 3868 Quotation062821920 Doc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 2800 MSBuild.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
Quotation062821920 Doc.exedescription pid process target process PID 3868 wrote to memory of 2800 3868 Quotation062821920 Doc.exe MSBuild.exe PID 3868 wrote to memory of 2800 3868 Quotation062821920 Doc.exe MSBuild.exe PID 3868 wrote to memory of 2800 3868 Quotation062821920 Doc.exe MSBuild.exe PID 3868 wrote to memory of 2800 3868 Quotation062821920 Doc.exe MSBuild.exe PID 3868 wrote to memory of 2800 3868 Quotation062821920 Doc.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation062821920 Doc.exe"C:\Users\Admin\AppData\Local\Temp\Quotation062821920 Doc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx