Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 13:21
Static task
static1
Behavioral task
behavioral1
Sample
customer ew order.exe
Resource
win7
Behavioral task
behavioral2
Sample
customer ew order.exe
Resource
win10
General
-
Target
customer ew order.exe
-
Size
406KB
-
MD5
3f9ef8b43424abd7de6ffda25e0f3084
-
SHA1
6c9625c5d9d6ff7b15c391cee17b9c59499f61fe
-
SHA256
9c3e77fb2e750cac9a2557d9b1a0bb202094e0a11605196c6786f3594fcd15d0
-
SHA512
5608b14a8b43ab2c0aa77a89e9d7fc639384c77da261e4af373fdfe213a4083827a59e26ff36abe78c2666ca607a3a58ed0fda7fe47027353a53e348bb2bfb6c
Malware Config
Extracted
Protocol: smtp- Host:
smtp.good-speaker.com - Port:
587 - Username:
info@good-speaker.com - Password:
123456789
Extracted
agenttesla
Protocol: smtp- Host:
smtp.good-speaker.com - Port:
587 - Username:
info@good-speaker.com - Password:
123456789
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3948-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/3948-1-0x000000000044735E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
customer ew order.exedescription pid process target process PID 976 set thread context of 3948 976 customer ew order.exe customer ew order.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
customer ew order.execustomer ew order.exepid process 976 customer ew order.exe 976 customer ew order.exe 976 customer ew order.exe 976 customer ew order.exe 3948 customer ew order.exe 3948 customer ew order.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
customer ew order.execustomer ew order.exedescription pid process Token: SeDebugPrivilege 976 customer ew order.exe Token: SeDebugPrivilege 3948 customer ew order.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
customer ew order.exepid process 3948 customer ew order.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
customer ew order.exedescription pid process target process PID 976 wrote to memory of 3900 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3900 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3900 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3928 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3928 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3928 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3948 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3948 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3948 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3948 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3948 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3948 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3948 976 customer ew order.exe customer ew order.exe PID 976 wrote to memory of 3948 976 customer ew order.exe customer ew order.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\customer ew order.exe"C:\Users\Admin\AppData\Local\Temp\customer ew order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\customer ew order.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\customer ew order.exe"{path}"2⤵
-
C:\Users\Admin\AppData\Local\Temp\customer ew order.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\customer ew order.exe.logMD5
3753b01eddc20f64178eaf3d55b5c146
SHA1ca50665940eb8519e1df0c1f185fb72a271c2a66
SHA25699096651b1d9b4a7562f56c8e42c06d1166f7f22a93816e2862317ada8154b37
SHA512566366e651e94fab25454fb0199508cd62a64723137b32fbd5bee531110403d9194b9a4fc053740c571a69e820c1c72e48d65fc3a5410a22b6ae9d2e55508bf3
-
memory/3948-0-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/3948-1-0x000000000044735E-mapping.dmp