Analysis
-
max time kernel
90s -
max time network
56s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
30-06-2020 13:35
Static task
static1
Behavioral task
behavioral1
Sample
a44c19ade0a232bea5617b7d512217fa.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
a44c19ade0a232bea5617b7d512217fa.exe
Resource
win10
General
-
Target
a44c19ade0a232bea5617b7d512217fa.exe
-
Size
688KB
-
MD5
a44c19ade0a232bea5617b7d512217fa
-
SHA1
91f2f90bf2d0d32172b207d32bc36b08ca0a44be
-
SHA256
a4c70297087ab9d2ba1dfa7452273fdf66295bf4ab7fa001e04841a9dd8c02ef
-
SHA512
c9769773cd7228d231cffece61a827051826b6a7670fc4d9923c3ee9f06a42d01944583ea035b325e58b0ddd3defab064239db77e7e4125a68de0ce7a998f94c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vibrantford.co.in - Port:
587 - Username:
commercial@vibrantford.co.in - Password:
Sguda@1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/600-1-0x00000000004A2810-mapping.dmp family_agenttesla behavioral1/memory/600-3-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral1/memory/600-4-0x00000000004B0000-0x00000000004FC000-memory.dmp family_agenttesla behavioral1/memory/600-6-0x00000000002D0000-0x0000000000316000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/600-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/600-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/600-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
a44c19ade0a232bea5617b7d512217fa.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\Myfile = "C:\\Users\\Admin\\AppData\\Roaming\\Myfile\\Myfile.exe" a44c19ade0a232bea5617b7d512217fa.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
a44c19ade0a232bea5617b7d512217fa.exedescription pid process target process PID 1296 set thread context of 600 1296 a44c19ade0a232bea5617b7d512217fa.exe a44c19ade0a232bea5617b7d512217fa.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
a44c19ade0a232bea5617b7d512217fa.exea44c19ade0a232bea5617b7d512217fa.exepid process 1296 a44c19ade0a232bea5617b7d512217fa.exe 600 a44c19ade0a232bea5617b7d512217fa.exe 600 a44c19ade0a232bea5617b7d512217fa.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
a44c19ade0a232bea5617b7d512217fa.exepid process 1296 a44c19ade0a232bea5617b7d512217fa.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
a44c19ade0a232bea5617b7d512217fa.exedescription pid process Token: SeDebugPrivilege 600 a44c19ade0a232bea5617b7d512217fa.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
a44c19ade0a232bea5617b7d512217fa.exedescription pid process target process PID 1296 wrote to memory of 600 1296 a44c19ade0a232bea5617b7d512217fa.exe a44c19ade0a232bea5617b7d512217fa.exe PID 1296 wrote to memory of 600 1296 a44c19ade0a232bea5617b7d512217fa.exe a44c19ade0a232bea5617b7d512217fa.exe PID 1296 wrote to memory of 600 1296 a44c19ade0a232bea5617b7d512217fa.exe a44c19ade0a232bea5617b7d512217fa.exe PID 1296 wrote to memory of 600 1296 a44c19ade0a232bea5617b7d512217fa.exe a44c19ade0a232bea5617b7d512217fa.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a44c19ade0a232bea5617b7d512217fa.exe"C:\Users\Admin\AppData\Local\Temp\a44c19ade0a232bea5617b7d512217fa.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a44c19ade0a232bea5617b7d512217fa.exe"C:\Users\Admin\AppData\Local\Temp\a44c19ade0a232bea5617b7d512217fa.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/600-0-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/600-1-0x00000000004A2810-mapping.dmp
-
memory/600-2-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/600-3-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/600-4-0x00000000004B0000-0x00000000004FC000-memory.dmpFilesize
304KB
-
memory/600-5-0x0000000001ED2000-0x0000000001ED3000-memory.dmpFilesize
4KB
-
memory/600-6-0x00000000002D0000-0x0000000000316000-memory.dmpFilesize
280KB