Analysis
-
max time kernel
110s -
max time network
116s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
RFQ.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
RFQ.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
RFQ.exe
-
Size
1.3MB
-
MD5
078c44464a42878961a16fcabf731114
-
SHA1
8be1ce5318546a2f68bf58ed0507bc419058ef05
-
SHA256
90cca0bc037f3b3e5ac45af4d2c3233da62776630d330113621d1a4f531c4dfd
-
SHA512
f19968ea8a490db9424c3c746ec6acde2a6522b52f947a2532cad12fd65916199032ff7cf76760af5ff904426dd27258bfe4af6a0035df8ae2e2cba6e5866176
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.travelsapphire.com - Port:
587 - Username:
sharwan.kumar@travelsapphire.com - Password:
A7dth4xADt{61
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1580-1-0x000000000044700E-mapping.dmp family_agenttesla behavioral1/memory/1580-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1580-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
RFQ.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\appidsvc.url RFQ.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RFQ.exedescription pid process target process PID 1584 set thread context of 1580 1584 RFQ.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1580 MSBuild.exe 1580 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1580 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
RFQ.exepid process 1584 RFQ.exe 1584 RFQ.exe 1584 RFQ.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
RFQ.exepid process 1584 RFQ.exe 1584 RFQ.exe 1584 RFQ.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
RFQ.exedescription pid process target process PID 1584 wrote to memory of 1580 1584 RFQ.exe MSBuild.exe PID 1584 wrote to memory of 1580 1584 RFQ.exe MSBuild.exe PID 1584 wrote to memory of 1580 1584 RFQ.exe MSBuild.exe PID 1584 wrote to memory of 1580 1584 RFQ.exe MSBuild.exe PID 1584 wrote to memory of 1580 1584 RFQ.exe MSBuild.exe PID 1584 wrote to memory of 1580 1584 RFQ.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RFQ.exe"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken