Analysis
-
max time kernel
52s -
max time network
30s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 12:52
Static task
static1
Behavioral task
behavioral1
Sample
Transaction Recipt0000000000000000000000.exe
Resource
win7
Behavioral task
behavioral2
Sample
Transaction Recipt0000000000000000000000.exe
Resource
win10v200430
General
-
Target
Transaction Recipt0000000000000000000000.exe
-
Size
426KB
-
MD5
059c936b80f96502d0fd020672f88e9a
-
SHA1
f96e487f573ab188b9516dec0b6ed8fe83325ef8
-
SHA256
b1c01251f188fd002ea3dccd1b74db29da48f6c40511ec96a6b27de3dfc932a8
-
SHA512
3da464dc4fbec7981073e61864e1633e3b6a7bb04a599ac5a612431a07ea805baa7748cf2b015a9a1af5a9865110430ba759eb0fdcc238536ba931398d3bae7d
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
ronaldo6969
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1256-1-0x00000000004A2690-mapping.dmp family_agenttesla behavioral1/memory/1256-3-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral1/memory/1256-4-0x0000000001CF0000-0x0000000001D3C000-memory.dmp family_agenttesla behavioral1/memory/1256-6-0x00000000003B0000-0x00000000003F6000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1256-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1256-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1256-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Transaction Recipt0000000000000000000000.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\UnjRJ = "C:\\Users\\Admin\\AppData\\Roaming\\UnjRJ\\UnjRJ.exe" Transaction Recipt0000000000000000000000.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Transaction Recipt0000000000000000000000.exedescription pid process target process PID 1100 set thread context of 1256 1100 Transaction Recipt0000000000000000000000.exe Transaction Recipt0000000000000000000000.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Transaction Recipt0000000000000000000000.exeTransaction Recipt0000000000000000000000.exepid process 1100 Transaction Recipt0000000000000000000000.exe 1256 Transaction Recipt0000000000000000000000.exe 1256 Transaction Recipt0000000000000000000000.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Transaction Recipt0000000000000000000000.exepid process 1100 Transaction Recipt0000000000000000000000.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Transaction Recipt0000000000000000000000.exedescription pid process Token: SeDebugPrivilege 1256 Transaction Recipt0000000000000000000000.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
Transaction Recipt0000000000000000000000.exedescription pid process target process PID 1100 wrote to memory of 1256 1100 Transaction Recipt0000000000000000000000.exe Transaction Recipt0000000000000000000000.exe PID 1100 wrote to memory of 1256 1100 Transaction Recipt0000000000000000000000.exe Transaction Recipt0000000000000000000000.exe PID 1100 wrote to memory of 1256 1100 Transaction Recipt0000000000000000000000.exe Transaction Recipt0000000000000000000000.exe PID 1100 wrote to memory of 1256 1100 Transaction Recipt0000000000000000000000.exe Transaction Recipt0000000000000000000000.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Transaction Recipt0000000000000000000000.exe"C:\Users\Admin\AppData\Local\Temp\Transaction Recipt0000000000000000000000.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1100 -
C:\Users\Admin\AppData\Local\Temp\Transaction Recipt0000000000000000000000.exe"C:\Users\Admin\AppData\Local\Temp\Transaction Recipt0000000000000000000000.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1256