Analysis
-
max time kernel
113s -
max time network
121s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 12:44
General
-
Target
greattastesmb.ca_wp_content_plugins_duplicator_files_whe.exe.malw.exe
-
Size
278KB
-
MD5
43cf5f9119cdd4c25d054bd50a6cbd45
-
SHA1
746cb5255907823a966ca49a2e88284222cf99a6
-
SHA256
58ccbb9c260814984edcc4b54de06a6f062e1b8abee2a4cb37b72e785bfcd985
-
SHA512
48f7038b181e45a52ebb4a62225fb55e4d8c090e267637f49f18bd1a90bae6b458c0896ac76abfc3c3daf87fa4aac12a3f88ddaf511804a7cf923386470b4523
Score
10/10
Malware Config
Signatures
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\greattastesmb.ca_wp_content_plugins_duplicator_files_whe.exe.malw.exe"C:\Users\Admin\AppData\Local\Temp\greattastesmb.ca_wp_content_plugins_duplicator_files_whe.exe.malw.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses