Analysis
-
max time kernel
139s -
max time network
32s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-07-2020 12:56
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
PO.exe
Resource
win10
General
-
Target
PO.exe
-
Size
376KB
-
MD5
84133be5dc2ce3c5db50c09794746749
-
SHA1
197076af033cda5e0ac539b3dd5d0113677dba7f
-
SHA256
8b9a55b92c1ec972a8105740919d99c5b4fabac2b927759d993bd1d13cf4946b
-
SHA512
020a4d8a8522c4b9b0be63ac5d29fae3a9549d2423afbd22b99b76ac66d2ffe6f8d714cf6f82445726ca44ca9e9e1e84b35979cd6243e6aa8b8a42a84f871cff
Malware Config
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO.exedescription pid process Token: SeDebugPrivilege 1456 PO.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO.exepid process 1456 PO.exe 1456 PO.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PO.exedescription pid process target process PID 1400 wrote to memory of 1456 1400 PO.exe PO.exe PID 1400 wrote to memory of 1456 1400 PO.exe PO.exe PID 1400 wrote to memory of 1456 1400 PO.exe PO.exe PID 1400 wrote to memory of 1456 1400 PO.exe PO.exe PID 1400 wrote to memory of 1456 1400 PO.exe PO.exe PID 1400 wrote to memory of 1456 1400 PO.exe PO.exe PID 1400 wrote to memory of 1456 1400 PO.exe PO.exe PID 1400 wrote to memory of 1456 1400 PO.exe PO.exe PID 1400 wrote to memory of 1456 1400 PO.exe PO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 1400 set thread context of 1456 1400 PO.exe PO.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:1456