Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
SHIPPING DOCUMENTS PDF.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
SHIPPING DOCUMENTS PDF.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
SHIPPING DOCUMENTS PDF.exe
-
Size
1.4MB
-
MD5
602bdb24b5e481f190e84adde05f054f
-
SHA1
593e47fc09ac9ea43bccffc9c3880d4b69dd954b
-
SHA256
384f36ad8c67b24aab276a4b5c295cc0b2f690ca97d9ba854bce80b8f1e2031d
-
SHA512
6dc0a6af9ae2f21ff9ceedc14468b95aee5f0fb2f9dc533aba8198ac7e2210812cbaac269cad07492d7a3f67c95fe3881fa35c39c149d64b49a1e3fc9922ebad
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.rajalakshmi.co.in - Port:
587 - Username:
design1@rajalakshmi.co.in - Password:
009_DESign1*
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.rajalakshmi.co.in - Port:
587 - Username:
design1@rajalakshmi.co.in - Password:
009_DESign1*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1292-0-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral2/memory/1292-1-0x000000000044C9DE-mapping.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
MSBuild.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\NewApp = "C:\\Users\\Admin\\AppData\\Roaming\\NewApp\\NewApp.exe" MSBuild.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHIPPING DOCUMENTS PDF.exedescription pid process target process PID 3264 set thread context of 1292 3264 SHIPPING DOCUMENTS PDF.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
MSBuild.exeSHIPPING DOCUMENTS PDF.exepid process 1292 MSBuild.exe 1292 MSBuild.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1292 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
SHIPPING DOCUMENTS PDF.exepid process 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
SHIPPING DOCUMENTS PDF.exepid process 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe 3264 SHIPPING DOCUMENTS PDF.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 1292 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SHIPPING DOCUMENTS PDF.exeMSBuild.exedescription pid process target process PID 3264 wrote to memory of 1292 3264 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 3264 wrote to memory of 1292 3264 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 3264 wrote to memory of 1292 3264 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 3264 wrote to memory of 1292 3264 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 3264 wrote to memory of 1292 3264 SHIPPING DOCUMENTS PDF.exe MSBuild.exe PID 1292 wrote to memory of 3860 1292 MSBuild.exe netsh.exe PID 1292 wrote to memory of 3860 1292 MSBuild.exe netsh.exe PID 1292 wrote to memory of 3860 1292 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS PDF.exe"C:\Users\Admin\AppData\Local\Temp\SHIPPING DOCUMENTS PDF.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵