Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10_x64 -
resource
win10 -
submitted
08-07-2020 05:09
Static task
static1
Behavioral task
behavioral1
Sample
pronewcryptagain.exe
Resource
win7v200430
General
-
Target
pronewcryptagain.exe
-
Size
721KB
-
MD5
a4d851f38893d81253064f87250c4e2e
-
SHA1
1fa7dc7a8be6844201c71a4562dd8c86515b0fc7
-
SHA256
8eb3933e2012364a81fa9f1003c485c03c6cafd61eefaf1b4059cc8d4a4066a7
-
SHA512
ef6d3a375d10e30c0e2bf7180a7044aacf22c789dedb4fcb61c01dc953a04bfd62487c3bd19779ad0a0d46519d497add7c1c1693095c551ccb6cb00a054d7a07
Malware Config
Extracted
Protocol: smtp- Host:
mail.insooryaexpresscargo.com - Port:
587 - Username:
[email protected] - Password:
GuG5GK(3m7*Z
Extracted
agenttesla
Protocol: smtp- Host:
mail.insooryaexpresscargo.com - Port:
587 - Username:
[email protected] - Password:
GuG5GK(3m7*Z
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3876-3-0x0000000000400000-0x00000000004B0000-memory.dmp family_agenttesla behavioral2/memory/3876-4-0x00000000009B0000-0x0000000000A02000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/3876-0-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral2/memory/3876-2-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral2/memory/3876-3-0x0000000000400000-0x00000000004B0000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
pronewcryptagain.exedescription pid process target process PID 2460 set thread context of 3876 2460 pronewcryptagain.exe pronewcryptagain.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
pronewcryptagain.exepronewcryptagain.exepid process 2460 pronewcryptagain.exe 2460 pronewcryptagain.exe 3876 pronewcryptagain.exe 3876 pronewcryptagain.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
pronewcryptagain.exepid process 2460 pronewcryptagain.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
pronewcryptagain.exedescription pid process Token: SeDebugPrivilege 3876 pronewcryptagain.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
pronewcryptagain.exepronewcryptagain.exedescription pid process target process PID 2460 wrote to memory of 3876 2460 pronewcryptagain.exe pronewcryptagain.exe PID 2460 wrote to memory of 3876 2460 pronewcryptagain.exe pronewcryptagain.exe PID 2460 wrote to memory of 3876 2460 pronewcryptagain.exe pronewcryptagain.exe PID 3876 wrote to memory of 3420 3876 pronewcryptagain.exe netsh.exe PID 3876 wrote to memory of 3420 3876 pronewcryptagain.exe netsh.exe PID 3876 wrote to memory of 3420 3876 pronewcryptagain.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\pronewcryptagain.exe"C:\Users\Admin\AppData\Local\Temp\pronewcryptagain.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pronewcryptagain.exe"C:\Users\Admin\AppData\Local\Temp\pronewcryptagain.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3420-6-0x0000000000000000-mapping.dmp
-
memory/3876-0-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3876-1-0x00000000004AEDD0-mapping.dmp
-
memory/3876-2-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3876-3-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3876-4-0x00000000009B0000-0x0000000000A02000-memory.dmpFilesize
328KB
-
memory/3876-5-0x0000000002372000-0x0000000002373000-memory.dmpFilesize
4KB