Analysis
-
max time kernel
141s -
max time network
142s -
platform
windows10_x64 -
resource
win10 -
submitted
07-07-2020 09:58
Static task
static1
Behavioral task
behavioral1
Sample
pago albaran.exe
Resource
win7
General
-
Target
pago albaran.exe
-
Size
706KB
-
MD5
bfb1ff98c1a8523e6fd93652bdc86f77
-
SHA1
7f145a81dae5c26e6b6ea276c769e692ce60f0f6
-
SHA256
db8790e7a52f33d965df31a00440e1a7d246bddd2fd9d7109e67c63b47630eb7
-
SHA512
7315ed1f1f4a9ce9adc5df7f2652cbd951a6031f88a732aaa98b39fb2eb36b6b4d4bcf14c46c702fab422a6dee0329ecda1b6aad711659377a7385d390352f91
Malware Config
Extracted
Protocol: smtp- Host:
mail.solivera.com - Port:
587 - Username:
[email protected] - Password:
;4eT[uc"9A
Extracted
agenttesla
Protocol: smtp- Host:
mail.solivera.com - Port:
587 - Username:
[email protected] - Password:
;4eT[uc"9A
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2924-1-0x00000000004A2300-mapping.dmp family_agenttesla behavioral2/memory/2924-4-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral2/memory/2924-5-0x0000000002160000-0x00000000021AC000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/2924-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/2924-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/2924-4-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
pago albaran.exedescription pid process target process PID 4092 set thread context of 2924 4092 pago albaran.exe pago albaran.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
pago albaran.exepago albaran.exepid process 4092 pago albaran.exe 4092 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe 3520 pago albaran.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pago albaran.exepid process 4092 pago albaran.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pago albaran.exedescription pid process Token: SeDebugPrivilege 2924 pago albaran.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
pago albaran.exedescription pid process target process PID 4092 wrote to memory of 2924 4092 pago albaran.exe pago albaran.exe PID 4092 wrote to memory of 2924 4092 pago albaran.exe pago albaran.exe PID 4092 wrote to memory of 2924 4092 pago albaran.exe pago albaran.exe PID 4092 wrote to memory of 3520 4092 pago albaran.exe pago albaran.exe PID 4092 wrote to memory of 3520 4092 pago albaran.exe pago albaran.exe PID 4092 wrote to memory of 3520 4092 pago albaran.exe pago albaran.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pago albaran.exe"C:\Users\Admin\AppData\Local\Temp\pago albaran.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Users\Admin\AppData\Local\Temp\pago albaran.exe"C:\Users\Admin\AppData\Local\Temp\pago albaran.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2924 -
C:\Users\Admin\AppData\Local\Temp\pago albaran.exe"C:\Users\Admin\AppData\Local\Temp\pago albaran.exe" 2 2924 694062⤵
- Suspicious behavior: EnumeratesProcesses
PID:3520