Analysis
-
max time kernel
70s -
max time network
67s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 08:52
Static task
static1
Behavioral task
behavioral1
Sample
SHIPMENT RECEIPT.exe
Resource
win7
Behavioral task
behavioral2
Sample
SHIPMENT RECEIPT.exe
Resource
win10
General
-
Target
SHIPMENT RECEIPT.exe
-
Size
901KB
-
MD5
8cb3c6e7b7287e1f31065550d42af32d
-
SHA1
8cd137ee856179155f99996684fd772124128a87
-
SHA256
b464e356f98cb514fa9b6131c3af6b27099dddaf1b6ca50ae7bae783beb02af0
-
SHA512
b0af1fddf587bf594733b72023804bff994191d5dabab5e5877f33ea0a680632daa570da6f0dcec4476541f3a682e1e94ff0d469218af22eec5517a8a63d8253
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
franciscondor@yandex.com - Password:
Jamin.kay1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1652-3-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1652-4-0x00000000004474BE-mapping.dmp family_agenttesla behavioral1/memory/1652-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1652-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SHIPMENT RECEIPT.exedescription pid process target process PID 112 set thread context of 1652 112 SHIPMENT RECEIPT.exe SHIPMENT RECEIPT.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
SHIPMENT RECEIPT.exeSHIPMENT RECEIPT.exepid process 112 SHIPMENT RECEIPT.exe 112 SHIPMENT RECEIPT.exe 112 SHIPMENT RECEIPT.exe 1652 SHIPMENT RECEIPT.exe 1652 SHIPMENT RECEIPT.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SHIPMENT RECEIPT.exeSHIPMENT RECEIPT.exedescription pid process Token: SeDebugPrivilege 112 SHIPMENT RECEIPT.exe Token: SeDebugPrivilege 1652 SHIPMENT RECEIPT.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SHIPMENT RECEIPT.exepid process 1652 SHIPMENT RECEIPT.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
SHIPMENT RECEIPT.exedescription pid process target process PID 112 wrote to memory of 1652 112 SHIPMENT RECEIPT.exe SHIPMENT RECEIPT.exe PID 112 wrote to memory of 1652 112 SHIPMENT RECEIPT.exe SHIPMENT RECEIPT.exe PID 112 wrote to memory of 1652 112 SHIPMENT RECEIPT.exe SHIPMENT RECEIPT.exe PID 112 wrote to memory of 1652 112 SHIPMENT RECEIPT.exe SHIPMENT RECEIPT.exe PID 112 wrote to memory of 1652 112 SHIPMENT RECEIPT.exe SHIPMENT RECEIPT.exe PID 112 wrote to memory of 1652 112 SHIPMENT RECEIPT.exe SHIPMENT RECEIPT.exe PID 112 wrote to memory of 1652 112 SHIPMENT RECEIPT.exe SHIPMENT RECEIPT.exe PID 112 wrote to memory of 1652 112 SHIPMENT RECEIPT.exe SHIPMENT RECEIPT.exe PID 112 wrote to memory of 1652 112 SHIPMENT RECEIPT.exe SHIPMENT RECEIPT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SHIPMENT RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\SHIPMENT RECEIPT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SHIPMENT RECEIPT.exe"C:\Users\Admin\AppData\Local\Temp\SHIPMENT RECEIPT.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/112-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1652-3-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1652-4-0x00000000004474BE-mapping.dmp
-
memory/1652-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1652-6-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB