Analysis
-
max time kernel
143s -
max time network
38s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-07-2020 06:35
Static task
static1
Behavioral task
behavioral1
Sample
b07481a98e54b4811f81ecac97947fdc.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
b07481a98e54b4811f81ecac97947fdc.exe
Resource
win10
General
-
Target
b07481a98e54b4811f81ecac97947fdc.exe
-
Size
703KB
-
MD5
b07481a98e54b4811f81ecac97947fdc
-
SHA1
ba5f79fe28af7c446b1784f413946d97ca33781d
-
SHA256
8e7d8dc49220d4ac88858ec8401d0d2b2a0c21d7b8e301c68de51e8a99238363
-
SHA512
1d34cc15cc74602b20a85749f5d27856b637ae7485e9d687228dd86f48deacaf79eecb59940b824d2b8bab4d3b7d95ae0a5338ecd37836235912637a7377d75c
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.durit-com-br.us - Port:
587 - Username:
[email protected] - Password:
k9Xm?clzrUl)
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1576-1-0x00000000004A26F0-mapping.dmp family_agenttesla behavioral1/memory/1576-3-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral1/memory/1576-4-0x0000000000370000-0x00000000003BC000-memory.dmp family_agenttesla behavioral1/memory/1576-6-0x0000000000220000-0x0000000000266000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1576-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1576-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1576-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
b07481a98e54b4811f81ecac97947fdc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\iseeyou = "C:\\Users\\Admin\\AppData\\Local\\Temp\\iseeyou\\iseeyou.exe" b07481a98e54b4811f81ecac97947fdc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b07481a98e54b4811f81ecac97947fdc.exedescription pid process target process PID 676 set thread context of 1576 676 b07481a98e54b4811f81ecac97947fdc.exe b07481a98e54b4811f81ecac97947fdc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
b07481a98e54b4811f81ecac97947fdc.exeb07481a98e54b4811f81ecac97947fdc.exepid process 676 b07481a98e54b4811f81ecac97947fdc.exe 1576 b07481a98e54b4811f81ecac97947fdc.exe 1576 b07481a98e54b4811f81ecac97947fdc.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
b07481a98e54b4811f81ecac97947fdc.exepid process 676 b07481a98e54b4811f81ecac97947fdc.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
b07481a98e54b4811f81ecac97947fdc.exedescription pid process Token: SeDebugPrivilege 1576 b07481a98e54b4811f81ecac97947fdc.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
b07481a98e54b4811f81ecac97947fdc.exedescription pid process target process PID 676 wrote to memory of 1576 676 b07481a98e54b4811f81ecac97947fdc.exe b07481a98e54b4811f81ecac97947fdc.exe PID 676 wrote to memory of 1576 676 b07481a98e54b4811f81ecac97947fdc.exe b07481a98e54b4811f81ecac97947fdc.exe PID 676 wrote to memory of 1576 676 b07481a98e54b4811f81ecac97947fdc.exe b07481a98e54b4811f81ecac97947fdc.exe PID 676 wrote to memory of 1576 676 b07481a98e54b4811f81ecac97947fdc.exe b07481a98e54b4811f81ecac97947fdc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b07481a98e54b4811f81ecac97947fdc.exe"C:\Users\Admin\AppData\Local\Temp\b07481a98e54b4811f81ecac97947fdc.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\b07481a98e54b4811f81ecac97947fdc.exe"C:\Users\Admin\AppData\Local\Temp\b07481a98e54b4811f81ecac97947fdc.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1576