Analysis
-
max time kernel
73s -
max time network
62s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 12:34
Static task
static1
Behavioral task
behavioral1
Sample
new order.exe
Resource
win7
Behavioral task
behavioral2
Sample
new order.exe
Resource
win10v200430
General
-
Target
new order.exe
-
Size
571KB
-
MD5
68a71573ebeb03f1da55093030a0f215
-
SHA1
f1868c30eec7e1abbb650d9bda4c1ffef0233143
-
SHA256
271d599153db10fd4b2e9ab6e859169d74a4b6d5ce49d786dc392be16f3db3a8
-
SHA512
99731fe81c355b92ea7c67b17b25844b8dcf8083bfeb121b07e641ad44c2094f3b666d680f936e8b4ea54a7fa1f0e609e3c60b4ab127c7f24c9a36e7a0a05d7d
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ikem123456789
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1488-0-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1488-1-0x000000000044C79E-mapping.dmp family_agenttesla behavioral1/memory/1488-2-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/1488-3-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
new order.exedescription pid process target process PID 1108 set thread context of 1488 1108 new order.exe new order.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
new order.exepid process 1488 new order.exe 1488 new order.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
new order.exedescription pid process Token: SeDebugPrivilege 1488 new order.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
new order.exenew order.exedescription pid process target process PID 1108 wrote to memory of 1488 1108 new order.exe new order.exe PID 1108 wrote to memory of 1488 1108 new order.exe new order.exe PID 1108 wrote to memory of 1488 1108 new order.exe new order.exe PID 1108 wrote to memory of 1488 1108 new order.exe new order.exe PID 1108 wrote to memory of 1488 1108 new order.exe new order.exe PID 1108 wrote to memory of 1488 1108 new order.exe new order.exe PID 1108 wrote to memory of 1488 1108 new order.exe new order.exe PID 1108 wrote to memory of 1488 1108 new order.exe new order.exe PID 1108 wrote to memory of 1488 1108 new order.exe new order.exe PID 1488 wrote to memory of 1896 1488 new order.exe netsh.exe PID 1488 wrote to memory of 1896 1488 new order.exe netsh.exe PID 1488 wrote to memory of 1896 1488 new order.exe netsh.exe PID 1488 wrote to memory of 1896 1488 new order.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\new order.exe"C:\Users\Admin\AppData\Local\Temp\new order.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108 -
C:\Users\Admin\AppData\Local\Temp\new order.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1488 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:1896