Analysis
-
max time kernel
149s -
max time network
44s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 10:06
Static task
static1
Behavioral task
behavioral1
Sample
BANK TRANSFER DETAILS.exe
Resource
win7
Behavioral task
behavioral2
Sample
BANK TRANSFER DETAILS.exe
Resource
win10v200430
General
-
Target
BANK TRANSFER DETAILS.exe
-
Size
1.1MB
-
MD5
d5cd903c3ca0562d70d98f2fc2c23c64
-
SHA1
66cb955fd6145de08a0ae16036e122b1300da5cd
-
SHA256
0112bdb90e11eb117a1066b44657e7afba86f5a6155da9c12e25c346a34b36ca
-
SHA512
3c3c46e8f763bbf1efe6918cd68b10cf5e74931a29739a16ab77d4284a041f76ac17c1677f9b4a80145575002549278f612755bb0a42c34191cbf6849b98046b
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
enugu042
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3036-7-0x0000000000900000-0x0000000000FFC000-memory.dmp family_agenttesla behavioral2/memory/3036-8-0x000000000094693E-mapping.dmp family_agenttesla -
Executes dropped EXE 2 IoCs
Processes:
rvpjm.pifRegSvcs.exepid process 2100 rvpjm.pif 3036 RegSvcs.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
rvpjm.pifdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run rvpjm.pif Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\file.exe = "c:\\83667592\\rvpjm.pif c:\\83667592\\wmbjiou.dxa" rvpjm.pif -
Suspicious use of SetThreadContext 1 IoCs
Processes:
rvpjm.pifdescription pid process target process PID 2100 set thread context of 3036 2100 rvpjm.pif RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
rvpjm.pifRegSvcs.exepid process 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 3036 RegSvcs.exe 3036 RegSvcs.exe 3036 RegSvcs.exe 3036 RegSvcs.exe 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 3036 RegSvcs.exe 3036 RegSvcs.exe 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif 2100 rvpjm.pif -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegSvcs.exedescription pid process Token: SeDebugPrivilege 3036 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegSvcs.exepid process 3036 RegSvcs.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
BANK TRANSFER DETAILS.exervpjm.pifdescription pid process target process PID 2108 wrote to memory of 2100 2108 BANK TRANSFER DETAILS.exe rvpjm.pif PID 2108 wrote to memory of 2100 2108 BANK TRANSFER DETAILS.exe rvpjm.pif PID 2108 wrote to memory of 2100 2108 BANK TRANSFER DETAILS.exe rvpjm.pif PID 2100 wrote to memory of 3036 2100 rvpjm.pif RegSvcs.exe PID 2100 wrote to memory of 3036 2100 rvpjm.pif RegSvcs.exe PID 2100 wrote to memory of 3036 2100 rvpjm.pif RegSvcs.exe PID 2100 wrote to memory of 3036 2100 rvpjm.pif RegSvcs.exe PID 2100 wrote to memory of 3036 2100 rvpjm.pif RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BANK TRANSFER DETAILS.exe"C:\Users\Admin\AppData\Local\Temp\BANK TRANSFER DETAILS.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2108 -
C:\83667592\rvpjm.pif"C:\83667592\rvpjm.pif" wmbjiou.dxa2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"C:\Users\Admin\AppData\Local\Temp\RegSvcs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3036
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
90089d67acd51cdffdf901b9d661194e
SHA1e17230ac12eacbf627c836701b2414195b68ec44
SHA25625a7ad1f22bb952c6eecc5f9888be49bb899b4a1d746949addb0ee30813959ca
SHA51260f362997239c730130a13a6c21d78df4bedca186a2afc7a5653f1b8e7196de4334f75af9afaab3bb1562d7624834edbee849872ccb5c868067bf644014ab86f
-
MD5
4e9488deb23ac8ecc3ac404b04134c18
SHA11a1b28bb37e60ce7d68976b6b8f017280fe35302
SHA25669685fb82980c4c5a23ece8272076628466c16e955d14ec5fbd6be4afa907dfb
SHA512d3772c5b6f62bf2c74afde047b83f0fc4a0c34da25d264d4f9e9d1ae957747d66971ccecaf37355cc41e82d440fc4446d167825caa2b458d50d4a7852745a0de
-
MD5
4e9488deb23ac8ecc3ac404b04134c18
SHA11a1b28bb37e60ce7d68976b6b8f017280fe35302
SHA25669685fb82980c4c5a23ece8272076628466c16e955d14ec5fbd6be4afa907dfb
SHA512d3772c5b6f62bf2c74afde047b83f0fc4a0c34da25d264d4f9e9d1ae957747d66971ccecaf37355cc41e82d440fc4446d167825caa2b458d50d4a7852745a0de
-
MD5
6c502a206fd04f081ad267dae0dd83ca
SHA14b800dae7587c51837ad25ec10d969e1bca3c9d6
SHA256d7da67ccc400e831794cf7c6223e1f1d5fb606e86a764f38e4bf809893a1900f
SHA512c45d1a3be7f6398b7ae6471df33ef64b1b8ae1f359169c06ccd08ad56c551f0d992fc973f63d286deb719703a76eda1c2cd43f20ed9f3ba4e62b8a0bf026fff1
-
MD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215
-
MD5
0e06054beb13192588e745ee63a84173
SHA130b7d4d1277bafd04a83779fd566a1f834a8d113
SHA256c5d6d56ded55fbd6c150ee3a0eb2e5671cae83106be2be4d70ce50aa50bab768
SHA512251a112f3f037e62ff67a467389e47a56afb344bc942b17efa9bd2970494718b26bbee9adc3ac35f93ee4d2114aa426b6d0ea4bafad294b6c118a15f1977c215