Analysis
-
max time kernel
136s -
max time network
36s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
24-06-2020 14:58
Static task
static1
Behavioral task
behavioral1
Sample
9edeaa107cc4122715d43b0a272e8da2.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
9edeaa107cc4122715d43b0a272e8da2.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
9edeaa107cc4122715d43b0a272e8da2.exe
-
Size
1.4MB
-
MD5
9edeaa107cc4122715d43b0a272e8da2
-
SHA1
cc50359b87821da2ffef53309b62465e585f8ed5
-
SHA256
6fc9d76b06c202aeec60a5a4e5574cd7a1fe1c12c0df84e9bc65be508923ae7b
-
SHA512
07a71d65ecba49531f5d36ce58273a029be9e369254fc36caf0f52287244c7d49a4871ab220c31cfbbcd9c75fd22f66cb7a111eeda225cbfc09d3e82afcb0fb7
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.brimaq.com - Port:
587 - Username:
jaen@brimaq.com - Password:
brimaQ2012
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1056-0-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1056-1-0x000000000044CB3E-mapping.dmp family_agenttesla behavioral1/memory/1056-2-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
9edeaa107cc4122715d43b0a272e8da2.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\GenValObj.url 9edeaa107cc4122715d43b0a272e8da2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9edeaa107cc4122715d43b0a272e8da2.exedescription pid process target process PID 1008 set thread context of 1056 1008 9edeaa107cc4122715d43b0a272e8da2.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 1056 MSBuild.exe 1056 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 1056 MSBuild.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
9edeaa107cc4122715d43b0a272e8da2.exepid process 1008 9edeaa107cc4122715d43b0a272e8da2.exe 1008 9edeaa107cc4122715d43b0a272e8da2.exe 1008 9edeaa107cc4122715d43b0a272e8da2.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
9edeaa107cc4122715d43b0a272e8da2.exepid process 1008 9edeaa107cc4122715d43b0a272e8da2.exe 1008 9edeaa107cc4122715d43b0a272e8da2.exe 1008 9edeaa107cc4122715d43b0a272e8da2.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
9edeaa107cc4122715d43b0a272e8da2.exeMSBuild.exedescription pid process target process PID 1008 wrote to memory of 1056 1008 9edeaa107cc4122715d43b0a272e8da2.exe MSBuild.exe PID 1008 wrote to memory of 1056 1008 9edeaa107cc4122715d43b0a272e8da2.exe MSBuild.exe PID 1008 wrote to memory of 1056 1008 9edeaa107cc4122715d43b0a272e8da2.exe MSBuild.exe PID 1008 wrote to memory of 1056 1008 9edeaa107cc4122715d43b0a272e8da2.exe MSBuild.exe PID 1008 wrote to memory of 1056 1008 9edeaa107cc4122715d43b0a272e8da2.exe MSBuild.exe PID 1008 wrote to memory of 1056 1008 9edeaa107cc4122715d43b0a272e8da2.exe MSBuild.exe PID 1056 wrote to memory of 572 1056 MSBuild.exe netsh.exe PID 1056 wrote to memory of 572 1056 MSBuild.exe netsh.exe PID 1056 wrote to memory of 572 1056 MSBuild.exe netsh.exe PID 1056 wrote to memory of 572 1056 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9edeaa107cc4122715d43b0a272e8da2.exe"C:\Users\Admin\AppData\Local\Temp\9edeaa107cc4122715d43b0a272e8da2.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵