Analysis
-
max time kernel
117s -
max time network
143s -
platform
windows10_x64 -
resource
win10 -
submitted
08-07-2020 12:56
Static task
static1
Behavioral task
behavioral1
Sample
PO.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
PO.exe
Resource
win10
General
-
Target
PO.exe
-
Size
376KB
-
MD5
84133be5dc2ce3c5db50c09794746749
-
SHA1
197076af033cda5e0ac539b3dd5d0113677dba7f
-
SHA256
8b9a55b92c1ec972a8105740919d99c5b4fabac2b927759d993bd1d13cf4946b
-
SHA512
020a4d8a8522c4b9b0be63ac5d29fae3a9549d2423afbd22b99b76ac66d2ffe6f8d714cf6f82445726ca44ca9e9e1e84b35979cd6243e6aa8b8a42a84f871cff
Malware Config
Extracted
Protocol: smtp- Host:
smtp.visgring.com - Port:
587 - Username:
[email protected] - Password:
uqtQpAv1
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
PO.exedescription pid process target process PID 3608 wrote to memory of 4004 3608 PO.exe PO.exe PID 3608 wrote to memory of 4004 3608 PO.exe PO.exe PID 3608 wrote to memory of 4004 3608 PO.exe PO.exe PID 3608 wrote to memory of 4004 3608 PO.exe PO.exe PID 3608 wrote to memory of 4004 3608 PO.exe PO.exe PID 3608 wrote to memory of 4004 3608 PO.exe PO.exe PID 3608 wrote to memory of 4004 3608 PO.exe PO.exe PID 3608 wrote to memory of 4004 3608 PO.exe PO.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO.exedescription pid process target process PID 3608 set thread context of 4004 3608 PO.exe PO.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO.exedescription pid process Token: SeDebugPrivilege 4004 PO.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO.exepid process 4004 PO.exe 4004 PO.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3608 -
C:\Users\Admin\AppData\Local\Temp\PO.exe"C:\Users\Admin\AppData\Local\Temp\PO.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
PID:4004