Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 10:01
Static task
static1
Behavioral task
behavioral1
Sample
HKSUPO202006.exe
Resource
win7
General
-
Target
HKSUPO202006.exe
-
Size
703KB
-
MD5
4437d2c24315480713548a0e8511c17d
-
SHA1
b024ce7b6d469bca49bc12c7ed9226696388d3e6
-
SHA256
0fafd555f84dcb876be1182b40ed4b85e7b57d8c5798243c3ed0b8421aabe9a6
-
SHA512
69be8167de86836cce9a4745a61cbd509f20e9a5ff9a14f7244890e6a3718c15d82987abce8596bf24ba8349ab626778ca9244f3ab2348f4af51a0f517f317c2
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
church12@@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1552-3-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral1/memory/1552-4-0x0000000000350000-0x000000000039C000-memory.dmp family_agenttesla behavioral1/memory/1552-6-0x0000000000220000-0x0000000000266000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1552-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1552-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1552-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
HKSUPO202006.exedescription pid process target process PID 1464 set thread context of 1552 1464 HKSUPO202006.exe HKSUPO202006.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
HKSUPO202006.exeHKSUPO202006.exepid process 1464 HKSUPO202006.exe 1552 HKSUPO202006.exe 1552 HKSUPO202006.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
HKSUPO202006.exepid process 1464 HKSUPO202006.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
HKSUPO202006.exedescription pid process Token: SeDebugPrivilege 1552 HKSUPO202006.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
HKSUPO202006.exedescription pid process target process PID 1464 wrote to memory of 1552 1464 HKSUPO202006.exe HKSUPO202006.exe PID 1464 wrote to memory of 1552 1464 HKSUPO202006.exe HKSUPO202006.exe PID 1464 wrote to memory of 1552 1464 HKSUPO202006.exe HKSUPO202006.exe PID 1464 wrote to memory of 1552 1464 HKSUPO202006.exe HKSUPO202006.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\HKSUPO202006.exe"C:\Users\Admin\AppData\Local\Temp\HKSUPO202006.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\HKSUPO202006.exe"C:\Users\Admin\AppData\Local\Temp\HKSUPO202006.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1552