Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:46
Static task
static1
Behavioral task
behavioral1
Sample
Account details.exe
Resource
win7
Behavioral task
behavioral2
Sample
Account details.exe
Resource
win10
General
-
Target
Account details.exe
-
Size
950KB
-
MD5
7e68ae591116e242bbbbd2557217cabe
-
SHA1
17400cce304f181e3f6b9f64c98709edb2e682b6
-
SHA256
78786a5ff2dbc771a4d1798bfbf2ebc0477b9db30af86b19ee17c8f17fef709e
-
SHA512
40b211dc7b9117c740b6460ddeea60f555a61406cb949da3ed5d91f763bea0b8bea35a5bae2c5e559f8bd5a51db01d4472f992548efeca5ec9239569117fe4f1
Malware Config
Signatures
-
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Account details.exepid process 1668 Account details.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Account details.exedescription pid process target process PID 1668 set thread context of 1292 1668 Account details.exe Account details.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Account details.exedescription pid process Token: SeDebugPrivilege 1292 Account details.exe -
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
Processes:
resource yara_rule behavioral1/memory/1292-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1292-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1292-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Account details.exeAccount details.exepid process 1668 Account details.exe 1292 Account details.exe 1292 Account details.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Account details.exedescription pid process target process PID 1668 wrote to memory of 1292 1668 Account details.exe Account details.exe PID 1668 wrote to memory of 1292 1668 Account details.exe Account details.exe PID 1668 wrote to memory of 1292 1668 Account details.exe Account details.exe PID 1668 wrote to memory of 1292 1668 Account details.exe Account details.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Account details.exe"C:\Users\Admin\AppData\Local\Temp\Account details.exe"1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Account details.exe"C:\Users\Admin\AppData\Local\Temp\Account details.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1292-0-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1292-1-0x00000000004A20E0-mapping.dmp
-
memory/1292-2-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1292-3-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/1292-4-0x0000000000310000-0x000000000035C000-memory.dmpFilesize
304KB
-
memory/1292-5-0x00000000002B2000-0x00000000002B3000-memory.dmpFilesize
4KB
-
memory/1292-6-0x0000000000220000-0x0000000000265000-memory.dmpFilesize
276KB