Analysis
-
max time kernel
142s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 15:08
Static task
static1
Behavioral task
behavioral1
Sample
payment swift copy 0992000030.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
payment swift copy 0992000030.exe
Resource
win10
General
-
Target
payment swift copy 0992000030.exe
-
Size
1.4MB
-
MD5
2819167a7dc8fcb29a15e384a6405daf
-
SHA1
0fb58427e88a08484092bde990465c9b21b83d49
-
SHA256
df8d53ae83fc3e3f3052436ec14a37d66474174f88c529e6a6162b4fb1be13d8
-
SHA512
8d278d4bf3263f911076f3dce0a67ada8503db9752dd66a68b66b0407c98e1623f4f8c455c44fdf523db2b6e075530ba98d30f651b6a32b32bb6106168ebdbd7
Malware Config
Extracted
Protocol: smtp- Host:
smtp.t-oniline.me - Port:
587 - Username:
chemco@t-oniline.me - Password:
bVXYU!t4
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
payment swift copy 0992000030.exepid process 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
payment swift copy 0992000030.exedescription pid process target process PID 1636 set thread context of 3308 1636 payment swift copy 0992000030.exe MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3308 MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
MSBuild.exepayment swift copy 0992000030.exepid process 3308 MSBuild.exe 3308 MSBuild.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MSBuild.exepid process 3308 MSBuild.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
payment swift copy 0992000030.exepid process 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe 1636 payment swift copy 0992000030.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
payment swift copy 0992000030.exeMSBuild.exedescription pid process target process PID 1636 wrote to memory of 3308 1636 payment swift copy 0992000030.exe MSBuild.exe PID 1636 wrote to memory of 3308 1636 payment swift copy 0992000030.exe MSBuild.exe PID 1636 wrote to memory of 3308 1636 payment swift copy 0992000030.exe MSBuild.exe PID 1636 wrote to memory of 3308 1636 payment swift copy 0992000030.exe MSBuild.exe PID 1636 wrote to memory of 3308 1636 payment swift copy 0992000030.exe MSBuild.exe PID 3308 wrote to memory of 3832 3308 MSBuild.exe netsh.exe PID 3308 wrote to memory of 3832 3308 MSBuild.exe netsh.exe PID 3308 wrote to memory of 3832 3308 MSBuild.exe netsh.exe -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
Processes
-
C:\Users\Admin\AppData\Local\Temp\payment swift copy 0992000030.exe"C:\Users\Admin\AppData\Local\Temp\payment swift copy 0992000030.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v2.0.50727\\\\MSBuild.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵