Analysis
-
max time kernel
63s -
max time network
76s -
platform
windows7_x64 -
resource
win7 -
submitted
24-06-2020 15:09
Static task
static1
Behavioral task
behavioral1
Sample
Order_4768945.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Order_4768945.exe
Resource
win10v200430
windows10_x64
0 signatures
0 seconds
General
-
Target
Order_4768945.exe
-
Size
1.3MB
-
MD5
25971cb7135f98d8c5d2856fe69e0979
-
SHA1
a4c3d67eed9f28d904f12a579bec88c3436e5009
-
SHA256
888a23aef242f26dcfdbe6591715d698ad3b1ed16b8946b31ff7e44da3ddead3
-
SHA512
a611ae222c3e25b19c3747421ad36bd10da31b45b222ab57b87d81fdcd26ab0e82bf4b36d92c212f020f39911dd4ea3d602104e797cca1591e083c240eec0bac
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
export5@fufeng-grooup.com - Password:
K$pbkEK0
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/316-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/316-1-0x0000000000446DFE-mapping.dmp family_agenttesla behavioral1/memory/316-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
Order_4768945.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\adalsql.url Order_4768945.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order_4768945.exedescription pid process target process PID 1108 set thread context of 316 1108 Order_4768945.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 316 MSBuild.exe 316 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 316 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Order_4768945.exepid process 1108 Order_4768945.exe 1108 Order_4768945.exe 1108 Order_4768945.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Order_4768945.exepid process 1108 Order_4768945.exe 1108 Order_4768945.exe 1108 Order_4768945.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 316 MSBuild.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Order_4768945.exedescription pid process target process PID 1108 wrote to memory of 316 1108 Order_4768945.exe MSBuild.exe PID 1108 wrote to memory of 316 1108 Order_4768945.exe MSBuild.exe PID 1108 wrote to memory of 316 1108 Order_4768945.exe MSBuild.exe PID 1108 wrote to memory of 316 1108 Order_4768945.exe MSBuild.exe PID 1108 wrote to memory of 316 1108 Order_4768945.exe MSBuild.exe PID 1108 wrote to memory of 316 1108 Order_4768945.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order_4768945.exe"C:\Users\Admin\AppData\Local\Temp\Order_4768945.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx