Analysis
-
max time kernel
70s -
max time network
73s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 13:07
Static task
static1
Behavioral task
behavioral1
Sample
Recibo del envío.exe
Resource
win7
Behavioral task
behavioral2
Sample
Recibo del envío.exe
Resource
win10v200430
General
-
Target
Recibo del envío.exe
-
Size
1015KB
-
MD5
fb6f39487961ff0ab1772bae6eec5704
-
SHA1
d5ba16fd8e51397a19c24c20c022a62f4d8637d7
-
SHA256
664b69b27e77e1458d7fff94e384830b0e6e63b29d3ca5a3babf07c942333b5f
-
SHA512
4fb8a1b2d44043c2e703e1d829623f39abb05856fe45cbcc734114364c01eae50bbefb0c2ddd57f86dccc7f983522b2f1a93d7d6950cfd8f1a0e1b6c482fc683
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
es.cajamar@yandex.com - Password:
Universe2830
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/324-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/324-5-0x0000000000446FCE-mapping.dmp family_agenttesla behavioral1/memory/324-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/324-8-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
InstallUtil.exepid process 324 InstallUtil.exe -
Loads dropped DLL 1 IoCs
Processes:
Recibo del envío.exepid process 1464 Recibo del envío.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Recibo del envío.exedescription pid process target process PID 1464 set thread context of 324 1464 Recibo del envío.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Recibo del envío.exeInstallUtil.exepid process 1464 Recibo del envío.exe 1464 Recibo del envío.exe 1464 Recibo del envío.exe 324 InstallUtil.exe 324 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Recibo del envío.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1464 Recibo del envío.exe Token: SeDebugPrivilege 324 InstallUtil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
InstallUtil.exepid process 324 InstallUtil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Recibo del envío.exedescription pid process target process PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe PID 1464 wrote to memory of 324 1464 Recibo del envío.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Recibo del envío.exe"C:\Users\Admin\AppData\Local\Temp\Recibo del envío.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
\Users\Admin\AppData\Local\Temp\InstallUtil.exeMD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
memory/324-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/324-5-0x0000000000446FCE-mapping.dmp
-
memory/324-7-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/324-8-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1464-1-0x0000000000000000-0x0000000000000000-disk.dmp