Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 17:11
Static task
static1
Behavioral task
behavioral1
Sample
9ddecabca1b0f6f3f73316c406ee38a0.exe
Resource
win7
Behavioral task
behavioral2
Sample
9ddecabca1b0f6f3f73316c406ee38a0.exe
Resource
win10v200430
General
-
Target
9ddecabca1b0f6f3f73316c406ee38a0.exe
-
Size
675KB
-
MD5
9ddecabca1b0f6f3f73316c406ee38a0
-
SHA1
f9edc0bc8fdf17b8b4095212e3ad0395b84fec6d
-
SHA256
35f0e8ca3bab29cfdf15c42ba6879af714ee203082d9cffc70a0b05e4eaae0ed
-
SHA512
75320d2b72e982610cfc8e38ee946a7ad4c823cfe2c1a0e66b465e2de518cde34d132c5b9a9b9b4a457afa6eae43944f8bdbf56f9e75ead3719c719dfffd45c2
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
evawater.xyz - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/240-3-0x0000000000400000-0x00000000004A5000-memory.dmp family_agenttesla behavioral1/memory/240-4-0x0000000000340000-0x000000000038C000-memory.dmp family_agenttesla behavioral1/memory/240-6-0x00000000002A0000-0x00000000002E6000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/240-0-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral1/memory/240-2-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral1/memory/240-3-0x0000000000400000-0x00000000004A5000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
9ddecabca1b0f6f3f73316c406ee38a0.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\chekwa = "C:\\Users\\Admin\\AppData\\Local\\Temp\\chekwa\\chekwa.exe" 9ddecabca1b0f6f3f73316c406ee38a0.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
9ddecabca1b0f6f3f73316c406ee38a0.exedescription pid process target process PID 1496 set thread context of 240 1496 9ddecabca1b0f6f3f73316c406ee38a0.exe 9ddecabca1b0f6f3f73316c406ee38a0.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
9ddecabca1b0f6f3f73316c406ee38a0.exe9ddecabca1b0f6f3f73316c406ee38a0.exepid process 1496 9ddecabca1b0f6f3f73316c406ee38a0.exe 240 9ddecabca1b0f6f3f73316c406ee38a0.exe 240 9ddecabca1b0f6f3f73316c406ee38a0.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
9ddecabca1b0f6f3f73316c406ee38a0.exepid process 1496 9ddecabca1b0f6f3f73316c406ee38a0.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
9ddecabca1b0f6f3f73316c406ee38a0.exedescription pid process Token: SeDebugPrivilege 240 9ddecabca1b0f6f3f73316c406ee38a0.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
9ddecabca1b0f6f3f73316c406ee38a0.exedescription pid process target process PID 1496 wrote to memory of 240 1496 9ddecabca1b0f6f3f73316c406ee38a0.exe 9ddecabca1b0f6f3f73316c406ee38a0.exe PID 1496 wrote to memory of 240 1496 9ddecabca1b0f6f3f73316c406ee38a0.exe 9ddecabca1b0f6f3f73316c406ee38a0.exe PID 1496 wrote to memory of 240 1496 9ddecabca1b0f6f3f73316c406ee38a0.exe 9ddecabca1b0f6f3f73316c406ee38a0.exe PID 1496 wrote to memory of 240 1496 9ddecabca1b0f6f3f73316c406ee38a0.exe 9ddecabca1b0f6f3f73316c406ee38a0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9ddecabca1b0f6f3f73316c406ee38a0.exe"C:\Users\Admin\AppData\Local\Temp\9ddecabca1b0f6f3f73316c406ee38a0.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Users\Admin\AppData\Local\Temp\9ddecabca1b0f6f3f73316c406ee38a0.exe"C:\Users\Admin\AppData\Local\Temp\9ddecabca1b0f6f3f73316c406ee38a0.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:240