Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 09:00
Static task
static1
Behavioral task
behavioral1
Sample
Quotation.exe
Resource
win7v200430
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
Quotation.exe
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
Quotation.exe
-
Size
398KB
-
MD5
acf625220d32911234345c7c65bf0477
-
SHA1
dea87c877a0ea827b654fb9c0d4e66d51aea212c
-
SHA256
22bb4fb64047a3ccdb9e79080e9b9769733a84fceb7d2ec8e82d3823802e33fb
-
SHA512
60622fa547a08ed113c9579372b91c07758bf2fbc3670317e5a227ddaa4968c6297f4c5cef59b1771d86604b5219e7c61a273fe6db9bda55129278abbdd42c5e
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
telley_min@vectromtech.com - Password:
111aaa
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
telley_min@vectromtech.com - Password:
111aaa
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3824-1-0x000000000044A73E-mapping.dmp family_agenttesla behavioral2/memory/3824-0-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation.exedescription pid process target process PID 3372 set thread context of 3824 3372 Quotation.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 3824 MSBuild.exe 3824 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 3824 MSBuild.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Quotation.exedescription pid process target process PID 3372 wrote to memory of 3824 3372 Quotation.exe MSBuild.exe PID 3372 wrote to memory of 3824 3372 Quotation.exe MSBuild.exe PID 3372 wrote to memory of 3824 3372 Quotation.exe MSBuild.exe PID 3372 wrote to memory of 3824 3372 Quotation.exe MSBuild.exe PID 3372 wrote to memory of 3824 3372 Quotation.exe MSBuild.exe PID 3372 wrote to memory of 3824 3372 Quotation.exe MSBuild.exe PID 3372 wrote to memory of 3824 3372 Quotation.exe MSBuild.exe PID 3372 wrote to memory of 3824 3372 Quotation.exe MSBuild.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation.exe"C:\Users\Admin\AppData\Local\Temp\Quotation.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken