Analysis
-
max time kernel
143s -
max time network
149s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 16:03
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe
Resource
win7
Behavioral task
behavioral2
Sample
SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe
Resource
win10v200430
General
-
Target
SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe
-
Size
341KB
-
MD5
2eb615a83afed8792190b04dea641217
-
SHA1
6e03c83fc468980003d8b6cc9a2690052c8fbe2e
-
SHA256
353ae3fcced86a2ae12f8b249900180eeeffb722a2c56b46356c8f4ec4461925
-
SHA512
c36342924abff2f84ebb44ce4aa8b24ef4015a315cd6040a330deb23ed904158bed741bdab5769fc13906a1c0a65ac00cd8ae035a4a6d0a3513d79af971af557
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
Fy_DDDs098*/
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1072-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1072-1-0x000000000044703E-mapping.dmp family_agenttesla behavioral1/memory/1072-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1072-3-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
Processes:
SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exedescription pid process target process PID 1612 set thread context of 1072 1612 SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
RegAsm.exepid process 1072 RegAsm.exe 1072 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exepid process 1612 SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RegAsm.exedescription pid process Token: SeDebugPrivilege 1072 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
RegAsm.exepid process 1072 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exedescription pid process target process PID 1612 wrote to memory of 1072 1612 SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe RegAsm.exe PID 1612 wrote to memory of 1072 1612 SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe RegAsm.exe PID 1612 wrote to memory of 1072 1612 SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe RegAsm.exe PID 1612 wrote to memory of 1072 1612 SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe RegAsm.exe PID 1612 wrote to memory of 1072 1612 SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe RegAsm.exe PID 1612 wrote to memory of 1072 1612 SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe RegAsm.exe PID 1612 wrote to memory of 1072 1612 SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe RegAsm.exe PID 1612 wrote to memory of 1072 1612 SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.MSIL.Kryptik.WOX.31681.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1072