Analysis
-
max time kernel
132s -
max time network
138s -
platform
windows7_x64 -
resource
win7 -
submitted
30-06-2020 19:14
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7
Behavioral task
behavioral2
Sample
PO.exe
Resource
win10v200430
General
-
Target
PO.exe
-
Size
679KB
-
MD5
bf42f566819d80dce55fc66e6e43583f
-
SHA1
277582491f24bbf73518393fee10ba110c9bf79c
-
SHA256
2116630a84b913da34b2f2cb2a5d7f357a9c95c648d2ceeb582c6728e2fca9dc
-
SHA512
2a8be3a45d6e9efb14309282ec45419f3c767ae4a5d4854ab7fe7e988f5667e95852875a23a318a0acf2591436d8248139857148e9b544b7f6d91476570fb8fe
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.napred.net - Port:
587 - Username:
k.jovanovic@napred.net - Password:
Katarina85219!
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\Desktop\apllication.exe family_agenttesla C:\Users\Admin\Desktop\apllication.exe family_agenttesla behavioral1/memory/1148-14-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1148-15-0x000000000044A4FE-mapping.dmp family_agenttesla behavioral1/memory/1148-17-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral1/memory/1148-18-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
apllication.exeAddInProcess32.exepid process 1900 apllication.exe 1148 AddInProcess32.exe -
Loads dropped DLL 1 IoCs
Processes:
apllication.exepid process 1900 apllication.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\application = "C:\\Windows\\system32\\pcalua.exe -a C:\\Users\\Admin\\Desktop\\apllication.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run reg.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
apllication.exedescription pid process target process PID 1900 set thread context of 1148 1900 apllication.exe AddInProcess32.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
PO.exeapllication.exeAddInProcess32.exepid process 740 PO.exe 740 PO.exe 740 PO.exe 1900 apllication.exe 1900 apllication.exe 1900 apllication.exe 1148 AddInProcess32.exe 1148 AddInProcess32.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
PO.exeapllication.exeAddInProcess32.exedescription pid process Token: SeDebugPrivilege 740 PO.exe Token: SeDebugPrivilege 1900 apllication.exe Token: SeDebugPrivilege 1148 AddInProcess32.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
PO.execmd.exeapllication.exedescription pid process target process PID 740 wrote to memory of 1060 740 PO.exe cmd.exe PID 740 wrote to memory of 1060 740 PO.exe cmd.exe PID 740 wrote to memory of 1060 740 PO.exe cmd.exe PID 740 wrote to memory of 1060 740 PO.exe cmd.exe PID 1060 wrote to memory of 1716 1060 cmd.exe reg.exe PID 1060 wrote to memory of 1716 1060 cmd.exe reg.exe PID 1060 wrote to memory of 1716 1060 cmd.exe reg.exe PID 1060 wrote to memory of 1716 1060 cmd.exe reg.exe PID 740 wrote to memory of 1900 740 PO.exe apllication.exe PID 740 wrote to memory of 1900 740 PO.exe apllication.exe PID 740 wrote to memory of 1900 740 PO.exe apllication.exe PID 740 wrote to memory of 1900 740 PO.exe apllication.exe PID 1900 wrote to memory of 1148 1900 apllication.exe AddInProcess32.exe PID 1900 wrote to memory of 1148 1900 apllication.exe AddInProcess32.exe PID 1900 wrote to memory of 1148 1900 apllication.exe AddInProcess32.exe PID 1900 wrote to memory of 1148 1900 apllication.exe AddInProcess32.exe PID 1900 wrote to memory of 1148 1900 apllication.exe AddInProcess32.exe PID 1900 wrote to memory of 1148 1900 apllication.exe AddInProcess32.exe PID 1900 wrote to memory of 1148 1900 apllication.exe AddInProcess32.exe PID 1900 wrote to memory of 1148 1900 apllication.exe AddInProcess32.exe PID 1900 wrote to memory of 1148 1900 apllication.exe AddInProcess32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v application /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\apllication.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v application /t REG_SZ /d C:\Windows\system32\pcalua.exe" -a C:\Users\Admin\Desktop\apllication.exe"3⤵
- Adds Run key to start application
-
C:\Users\Admin\Desktop\apllication.exe"C:\Users\Admin\Desktop\apllication.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
C:\Users\Admin\Desktop\apllication.exeMD5
bf42f566819d80dce55fc66e6e43583f
SHA1277582491f24bbf73518393fee10ba110c9bf79c
SHA2562116630a84b913da34b2f2cb2a5d7f357a9c95c648d2ceeb582c6728e2fca9dc
SHA5122a8be3a45d6e9efb14309282ec45419f3c767ae4a5d4854ab7fe7e988f5667e95852875a23a318a0acf2591436d8248139857148e9b544b7f6d91476570fb8fe
-
C:\Users\Admin\Desktop\apllication.exeMD5
bf42f566819d80dce55fc66e6e43583f
SHA1277582491f24bbf73518393fee10ba110c9bf79c
SHA2562116630a84b913da34b2f2cb2a5d7f357a9c95c648d2ceeb582c6728e2fca9dc
SHA5122a8be3a45d6e9efb14309282ec45419f3c767ae4a5d4854ab7fe7e988f5667e95852875a23a318a0acf2591436d8248139857148e9b544b7f6d91476570fb8fe
-
\Users\Admin\AppData\Local\Temp\AddInProcess32.exeMD5
6a673bfc3b67ae9782cb31af2f234c68
SHA17544e89566d91e84e3cd437b9a073e5f6b56566e
SHA256978a4093058aa2ebf05dc353897d90d950324389879b57741b64160825b5ec0e
SHA51272c302372ce87ceda2a3c70a6005d3f9c112f1641bc7fe6824c718971233e66c07e2996d2785fa358566c38714c25ea812c05c7cfd2f588284849d495fd24f39
-
memory/740-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1060-3-0x0000000000000000-mapping.dmp
-
memory/1148-15-0x000000000044A4FE-mapping.dmp
-
memory/1148-14-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1148-17-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1148-18-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1716-4-0x0000000000000000-mapping.dmp
-
memory/1900-6-0x0000000000000000-mapping.dmp