Analysis
-
max time kernel
135s -
max time network
136s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 12:44
Static task
static1
Behavioral task
behavioral1
Sample
Order purchase list.exe
Resource
win7
Behavioral task
behavioral2
Sample
Order purchase list.exe
Resource
win10
General
-
Target
Order purchase list.exe
-
Size
402KB
-
MD5
4a772b183e9988be868319c441faf55e
-
SHA1
b908a4ca5925548e62d8bbf194de7ca0b47d62e7
-
SHA256
9add2a18d24644570fc7a754eb3e72052ada8d540bd23be205eb501bf3f02a31
-
SHA512
4e2183ff85adcd407fd5f411f4d1e1f74c51b3034223533094e4b6279e710f961e91e0e7be528441dc771df334b84f8c2a4520823e647e84c62e219b914b0f7f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.sensar-light.com - Port:
587 - Username:
sale6@sensar-light.com - Password:
chibuike12345@@@@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3812-1-0x0000000000446DFE-mapping.dmp family_agenttesla behavioral2/memory/3812-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order purchase list.exedescription pid process target process PID 3104 set thread context of 3812 3104 Order purchase list.exe Order purchase list.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Order purchase list.exepid process 3812 Order purchase list.exe 3812 Order purchase list.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Order purchase list.exedescription pid process Token: SeDebugPrivilege 3812 Order purchase list.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Order purchase list.exepid process 3812 Order purchase list.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Order purchase list.exedescription pid process target process PID 3104 wrote to memory of 3812 3104 Order purchase list.exe Order purchase list.exe PID 3104 wrote to memory of 3812 3104 Order purchase list.exe Order purchase list.exe PID 3104 wrote to memory of 3812 3104 Order purchase list.exe Order purchase list.exe PID 3104 wrote to memory of 3812 3104 Order purchase list.exe Order purchase list.exe PID 3104 wrote to memory of 3812 3104 Order purchase list.exe Order purchase list.exe PID 3104 wrote to memory of 3812 3104 Order purchase list.exe Order purchase list.exe PID 3104 wrote to memory of 3812 3104 Order purchase list.exe Order purchase list.exe PID 3104 wrote to memory of 3812 3104 Order purchase list.exe Order purchase list.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order purchase list.exe"C:\Users\Admin\AppData\Local\Temp\Order purchase list.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Order purchase list.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Order purchase list.exe.logMD5
3753b01eddc20f64178eaf3d55b5c146
SHA1ca50665940eb8519e1df0c1f185fb72a271c2a66
SHA25699096651b1d9b4a7562f56c8e42c06d1166f7f22a93816e2862317ada8154b37
SHA512566366e651e94fab25454fb0199508cd62a64723137b32fbd5bee531110403d9194b9a4fc053740c571a69e820c1c72e48d65fc3a5410a22b6ae9d2e55508bf3
-
memory/3812-1-0x0000000000446DFE-mapping.dmp
-
memory/3812-0-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB