Analysis
-
max time kernel
140s -
max time network
32s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
07-07-2020 08:24
Static task
static1
Behavioral task
behavioral1
Sample
a9ed23836eea2535687ed15da8137b73.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
a9ed23836eea2535687ed15da8137b73.exe
Resource
win10
General
-
Target
a9ed23836eea2535687ed15da8137b73.exe
-
Size
659KB
-
MD5
a9ed23836eea2535687ed15da8137b73
-
SHA1
4974869cf27d011785ea67c8fa7f509cac7fca04
-
SHA256
4b946d9a4de3fef939ea0ef122aa66dc90ccd66f9d842ad8adc0e0038f0c47ea
-
SHA512
932d23b71ed131b1814af18cdf82dc6b08486956d6712f39d0c8696d5026ae56ae9c7145e1449612d0592620a49e6e1b97ac444e68d3bcdaa447c5a2bfa61a4c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
goodwork11
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1004-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1004-5-0x0000000000446F5E-mapping.dmp family_agenttesla behavioral1/memory/1004-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1004-8-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
InstallUtil.exepid process 1004 InstallUtil.exe -
Loads dropped DLL 1 IoCs
Processes:
a9ed23836eea2535687ed15da8137b73.exepid process 1016 a9ed23836eea2535687ed15da8137b73.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
a9ed23836eea2535687ed15da8137b73.exedescription pid process target process PID 1016 set thread context of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
a9ed23836eea2535687ed15da8137b73.exeInstallUtil.exepid process 1016 a9ed23836eea2535687ed15da8137b73.exe 1016 a9ed23836eea2535687ed15da8137b73.exe 1016 a9ed23836eea2535687ed15da8137b73.exe 1004 InstallUtil.exe 1004 InstallUtil.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
a9ed23836eea2535687ed15da8137b73.exeInstallUtil.exedescription pid process Token: SeDebugPrivilege 1016 a9ed23836eea2535687ed15da8137b73.exe Token: SeDebugPrivilege 1004 InstallUtil.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
a9ed23836eea2535687ed15da8137b73.exedescription pid process target process PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe PID 1016 wrote to memory of 1004 1016 a9ed23836eea2535687ed15da8137b73.exe InstallUtil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a9ed23836eea2535687ed15da8137b73.exe"C:\Users\Admin\AppData\Local\Temp\a9ed23836eea2535687ed15da8137b73.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016 -
C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1004
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
MD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e
-
MD5
91c9ae9c9a17a9db5e08b120e668c74c
SHA150770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e