Analysis
-
max time kernel
87s -
max time network
92s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 09:57
Static task
static1
Behavioral task
behavioral1
Sample
pago factura.exe
Resource
win7
General
-
Target
pago factura.exe
-
Size
699KB
-
MD5
2982b154fb8f2d08a4e2ae96afb8a650
-
SHA1
2505ad59c9d1772ce651fe482d9b5c31a5423d83
-
SHA256
70d5074ab20885ad5cec99b0bb93e8d5f45a4a9374beeb863bfc802f99ce6b5d
-
SHA512
30f1641d84d04e39105b4946646f2d5df95a451ef0ed8e1bc21ec5cf300cd81acacb28e69238c1eb610fa7fe5dc35122ccfe6f1f0b7fb5d4c29ab4cb3e8d8b30
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.busilis.pt - Port:
587 - Username:
[email protected] - Password:
bbusiliscom
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1116-1-0x00000000004A2620-mapping.dmp family_agenttesla behavioral1/memory/1116-4-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral1/memory/1116-5-0x00000000003B0000-0x00000000003FC000-memory.dmp family_agenttesla behavioral1/memory/1116-7-0x00000000002C0000-0x0000000000306000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1116-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1116-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1116-4-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
pago factura.exedescription pid process target process PID 1612 set thread context of 1116 1612 pago factura.exe pago factura.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pago factura.exepago factura.exepid process 1612 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe 1648 pago factura.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pago factura.exepid process 1612 pago factura.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pago factura.exedescription pid process Token: SeDebugPrivilege 1116 pago factura.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
pago factura.exedescription pid process target process PID 1612 wrote to memory of 1116 1612 pago factura.exe pago factura.exe PID 1612 wrote to memory of 1116 1612 pago factura.exe pago factura.exe PID 1612 wrote to memory of 1116 1612 pago factura.exe pago factura.exe PID 1612 wrote to memory of 1116 1612 pago factura.exe pago factura.exe PID 1612 wrote to memory of 1648 1612 pago factura.exe pago factura.exe PID 1612 wrote to memory of 1648 1612 pago factura.exe pago factura.exe PID 1612 wrote to memory of 1648 1612 pago factura.exe pago factura.exe PID 1612 wrote to memory of 1648 1612 pago factura.exe pago factura.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pago factura.exe"C:\Users\Admin\AppData\Local\Temp\pago factura.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Users\Admin\AppData\Local\Temp\pago factura.exe"C:\Users\Admin\AppData\Local\Temp\pago factura.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1116 -
C:\Users\Admin\AppData\Local\Temp\pago factura.exe"C:\Users\Admin\AppData\Local\Temp\pago factura.exe" 2 1116 660822⤵
- Suspicious behavior: EnumeratesProcesses
PID:1648