Analysis
-
max time kernel
139s -
max time network
20s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-07-2020 12:43
Static task
static1
Behavioral task
behavioral1
Sample
greattastesmb.ca_wp_content_plugins_duplicator_files_elb.exe.malw.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
greattastesmb.ca_wp_content_plugins_duplicator_files_elb.exe.malw.exe
Resource
win10
General
-
Target
greattastesmb.ca_wp_content_plugins_duplicator_files_elb.exe.malw.exe
-
Size
277KB
-
MD5
406de95a9dd661c24493b0d207c25a99
-
SHA1
4798b6987d2cf926b58fd462605449febfc85310
-
SHA256
ff11cc320a56b5aa8cdfc8ce4bbd78926624ebdac7514446556c28feebed0e15
-
SHA512
8a43065aefaaa263e5629002d9603cb7c18eb4d8f04845d66272273a90fe5e04ee4ae9c9f7488563f7773727f0d4fb6823d43774f8e3ed0f594f0d1196732a33
Malware Config
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
greattastesmb.ca_wp_content_plugins_duplicator_files_elb.exe.malw.exepid process 828 greattastesmb.ca_wp_content_plugins_duplicator_files_elb.exe.malw.exe 828 greattastesmb.ca_wp_content_plugins_duplicator_files_elb.exe.malw.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
greattastesmb.ca_wp_content_plugins_duplicator_files_elb.exe.malw.exedescription pid process Token: SeDebugPrivilege 828 greattastesmb.ca_wp_content_plugins_duplicator_files_elb.exe.malw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\greattastesmb.ca_wp_content_plugins_duplicator_files_elb.exe.malw.exe"C:\Users\Admin\AppData\Local\Temp\greattastesmb.ca_wp_content_plugins_duplicator_files_elb.exe.malw.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:828