Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
146s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07/07/2020, 08:49
Static task
static1
Behavioral task
behavioral1
Sample
Ticari Hesap Özetiniz.exe
Resource
win7
Behavioral task
behavioral2
Sample
Ticari Hesap Özetiniz.exe
Resource
win10v200430
General
-
Target
Ticari Hesap Özetiniz.exe
-
Size
562KB
-
MD5
77b28fa8e6208ae9c88be198f5e614ce
-
SHA1
867520dc43dc7f7b596866349de714e59f91796e
-
SHA256
cdf43e36edf4aaa17906bf552cd65351d9b6e66a77356f91cd819874cf531e03
-
SHA512
abba633519ecc8f0afe7faa43164d78bed76752d2c756fc039dd79e4ab118ee8de29843e408e5a37930bf1b374322f0732b1630dd8c56fd589dbc10f570b34fb
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.vinorema.com - Port:
587 - Username:
[email protected] - Password:
tempranillo03
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
resource yara_rule behavioral2/memory/2740-0-0x0000000000400000-0x0000000000450000-memory.dmp family_agenttesla behavioral2/memory/2740-1-0x000000000044A8DE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1732 set thread context of 2740 1732 Ticari Hesap Özetiniz.exe 72 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2740 Ticari Hesap Özetiniz.exe 2740 Ticari Hesap Özetiniz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2740 Ticari Hesap Özetiniz.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1732 wrote to memory of 2740 1732 Ticari Hesap Özetiniz.exe 72 PID 1732 wrote to memory of 2740 1732 Ticari Hesap Özetiniz.exe 72 PID 1732 wrote to memory of 2740 1732 Ticari Hesap Özetiniz.exe 72 PID 1732 wrote to memory of 2740 1732 Ticari Hesap Özetiniz.exe 72 PID 1732 wrote to memory of 2740 1732 Ticari Hesap Özetiniz.exe 72 PID 1732 wrote to memory of 2740 1732 Ticari Hesap Özetiniz.exe 72 PID 1732 wrote to memory of 2740 1732 Ticari Hesap Özetiniz.exe 72 PID 1732 wrote to memory of 2740 1732 Ticari Hesap Özetiniz.exe 72
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2740
-