Analysis
-
max time kernel
150s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENTS PDF.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENTS PDF.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
SHIPPING DOCUMENTS PDF.exe
-
Size
1.4MB
-
MD5
602bdb24b5e481f190e84adde05f054f
-
SHA1
593e47fc09ac9ea43bccffc9c3880d4b69dd954b
-
SHA256
384f36ad8c67b24aab276a4b5c295cc0b2f690ca97d9ba854bce80b8f1e2031d
-
SHA512
6dc0a6af9ae2f21ff9ceedc14468b95aee5f0fb2f9dc533aba8198ac7e2210812cbaac269cad07492d7a3f67c95fe3881fa35c39c149d64b49a1e3fc9922ebad
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.rajalakshmi.co.in - Port:
587 - Username:
design1@rajalakshmi.co.in - Password:
009_DESign1*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/280-0-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/280-1-0x000000000044C9DE-mapping.dmp family_agenttesla behavioral1/memory/280-2-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHIPPING DOCUMENTS PDF.exedescription pid process target process PID 1520 set thread context of 280 1520 SHIPPING DOCUMENTS PDF.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
MSBuild.exeSHIPPING DOCUMENTS PDF.exepid process 280 MSBuild.exe 280 MSBuild.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 280 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
SHIPPING DOCUMENTS PDF.exepid process 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
SHIPPING DOCUMENTS PDF.exepid process 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe 1520 SHIPPING DOCUMENTS PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 280 MSBuild.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
SHIPPING DOCUMENTS PDF.exeMSBuild.exedescription pid process target process PID 1520 wrote to memory of 280 1520 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 1520 wrote to memory of 280 1520 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 1520 wrote to memory of 280 1520 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 1520 wrote to memory of 280 1520 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 1520 wrote to memory of 280 1520 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 1520 wrote to memory of 280 1520 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 280 wrote to memory of 520 280 MSBuild.exe netsh.exe PID 280 wrote to memory of 520 280 MSBuild.exe netsh.exe PID 280 wrote to memory of 520 280 MSBuild.exe netsh.exe PID 280 wrote to memory of 520 280 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS PDF.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵