Analysis
-
max time kernel
89s -
max time network
72s -
platform
windows10_x64 -
resource
win10 -
submitted
30-06-2020 06:31
Static task
static1
Behavioral task
behavioral1
Sample
TRM76EWDS.com.exe
Resource
win7
Behavioral task
behavioral2
Sample
TRM76EWDS.com.exe
Resource
win10
General
-
Target
TRM76EWDS.com.exe
-
Size
401KB
-
MD5
fa54db10aba75c0b629fea0c37e64de3
-
SHA1
931097d1be9092432b8ebb04c0a96f36060aa7ea
-
SHA256
052148f226d2b1e51ca7318eacda6906765138d2e28b290558a2b7003e9f6634
-
SHA512
c2e43e5eecc0bcb99ce08a3ffae9bd80867ad48ffd20f00c949f5d28d04677f1744edcd8f7a93efa78a512b5e62cd25ca59413078a845a5f5ba9c2ae62b4024e
Malware Config
Extracted
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
dubemlogszz@lascostoolsc.xyz - Password:
dubem@4000XAXAX
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
dubemlogszz@lascostoolsc.xyz - Password:
dubem@4000XAXAX
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3916-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/3916-1-0x00000000004474DE-mapping.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Drops file in Drivers directory 1 IoCs
Processes:
RegSvcs.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts RegSvcs.exe -
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
TRM76EWDS.com.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion TRM76EWDS.com.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion TRM76EWDS.com.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\ZAXVpp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ZAXVpp\\ZAXVpp.exe" RegSvcs.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
TRM76EWDS.com.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum TRM76EWDS.com.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 TRM76EWDS.com.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
TRM76EWDS.com.exedescription pid process target process PID 3100 set thread context of 3916 3100 TRM76EWDS.com.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegSvcs.exepid process 3916 RegSvcs.exe 3916 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3916 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
TRM76EWDS.com.exedescription pid process target process PID 3100 wrote to memory of 3916 3100 TRM76EWDS.com.exe RegSvcs.exe PID 3100 wrote to memory of 3916 3100 TRM76EWDS.com.exe RegSvcs.exe PID 3100 wrote to memory of 3916 3100 TRM76EWDS.com.exe RegSvcs.exe PID 3100 wrote to memory of 3916 3100 TRM76EWDS.com.exe RegSvcs.exe PID 3100 wrote to memory of 3916 3100 TRM76EWDS.com.exe RegSvcs.exe PID 3100 wrote to memory of 3916 3100 TRM76EWDS.com.exe RegSvcs.exe PID 3100 wrote to memory of 3916 3100 TRM76EWDS.com.exe RegSvcs.exe PID 3100 wrote to memory of 3916 3100 TRM76EWDS.com.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\TRM76EWDS.com.exe"C:\Users\Admin\AppData\Local\Temp\TRM76EWDS.com.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegSvcs.exe"{path}"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken