Analysis
-
max time kernel
77s -
max time network
75s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:21
Static task
static1
Behavioral task
behavioral1
Sample
customer ew order.exe
Resource
win7
Behavioral task
behavioral2
Sample
customer ew order.exe
Resource
win10
General
-
Target
customer ew order.exe
-
Size
406KB
-
MD5
3f9ef8b43424abd7de6ffda25e0f3084
-
SHA1
6c9625c5d9d6ff7b15c391cee17b9c59499f61fe
-
SHA256
9c3e77fb2e750cac9a2557d9b1a0bb202094e0a11605196c6786f3594fcd15d0
-
SHA512
5608b14a8b43ab2c0aa77a89e9d7fc639384c77da261e4af373fdfe213a4083827a59e26ff36abe78c2666ca607a3a58ed0fda7fe47027353a53e348bb2bfb6c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.good-speaker.com - Port:
587 - Username:
info@good-speaker.com - Password:
123456789
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1408-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1408-1-0x000000000044735E-mapping.dmp family_agenttesla behavioral1/memory/1408-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1408-3-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
customer ew order.exedescription pid process target process PID 1088 set thread context of 1408 1088 customer ew order.exe customer ew order.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
customer ew order.exepid process 1408 customer ew order.exe 1408 customer ew order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
customer ew order.exedescription pid process Token: SeDebugPrivilege 1408 customer ew order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
customer ew order.exepid process 1408 customer ew order.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
customer ew order.exedescription pid process target process PID 1088 wrote to memory of 1408 1088 customer ew order.exe customer ew order.exe PID 1088 wrote to memory of 1408 1088 customer ew order.exe customer ew order.exe PID 1088 wrote to memory of 1408 1088 customer ew order.exe customer ew order.exe PID 1088 wrote to memory of 1408 1088 customer ew order.exe customer ew order.exe PID 1088 wrote to memory of 1408 1088 customer ew order.exe customer ew order.exe PID 1088 wrote to memory of 1408 1088 customer ew order.exe customer ew order.exe PID 1088 wrote to memory of 1408 1088 customer ew order.exe customer ew order.exe PID 1088 wrote to memory of 1408 1088 customer ew order.exe customer ew order.exe PID 1088 wrote to memory of 1408 1088 customer ew order.exe customer ew order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\customer ew order.exe"C:\Users\Admin\AppData\Local\Temp\customer ew order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\customer ew order.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1408-0-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1408-1-0x000000000044735E-mapping.dmp
-
memory/1408-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1408-3-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB