Analysis
-
max time kernel
73s -
max time network
66s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 08:40
Static task
static1
Behavioral task
behavioral1
Sample
DHL-#AWB130501923096.pdf.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
DHL-#AWB130501923096.pdf.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
DHL-#AWB130501923096.pdf.exe
-
Size
580KB
-
MD5
14f101774538a109fb276b133d57cb40
-
SHA1
525c55f93fb99e1aff4f0ada394eb665f549aa0c
-
SHA256
853b8b5ab3cbde2381a1e4a6721ea06faf392dcab12c955fd908b7da578d6e37
-
SHA512
7049c14634a9c56a44512bf2db51a4dd9137ee5b8772861c74686a1c2d26770832c1e5397a76d6aa8c0f75583feb8c5ad37dfd2e05e2c9801cf7198afd99c44c
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
faith12AB
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/828-0-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/828-1-0x000000000044CB6E-mapping.dmp family_agenttesla behavioral1/memory/828-2-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/828-3-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
DHL-#AWB130501923096.pdf.exedescription pid process target process PID 832 set thread context of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
MSBuild.exepid process 828 MSBuild.exe 828 MSBuild.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
MSBuild.exedescription pid process Token: SeDebugPrivilege 828 MSBuild.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
DHL-#AWB130501923096.pdf.exeMSBuild.exedescription pid process target process PID 832 wrote to memory of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe PID 832 wrote to memory of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe PID 832 wrote to memory of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe PID 832 wrote to memory of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe PID 832 wrote to memory of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe PID 832 wrote to memory of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe PID 832 wrote to memory of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe PID 832 wrote to memory of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe PID 832 wrote to memory of 828 832 DHL-#AWB130501923096.pdf.exe MSBuild.exe PID 828 wrote to memory of 1660 828 MSBuild.exe netsh.exe PID 828 wrote to memory of 1660 828 MSBuild.exe netsh.exe PID 828 wrote to memory of 1660 828 MSBuild.exe netsh.exe PID 828 wrote to memory of 1660 828 MSBuild.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\DHL-#AWB130501923096.pdf.exe"C:\Users\Admin\AppData\Local\Temp\DHL-#AWB130501923096.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/828-0-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/828-1-0x000000000044CB6E-mapping.dmp
-
memory/828-2-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/828-3-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1660-4-0x0000000000000000-mapping.dmp