Analysis

  • max time kernel
    131s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    08-07-2020 12:44

General

  • Target

    greattastesmb.ca_wp_content_plugins_duplicator_files_whe.exe.malw.exe

  • Size

    278KB

  • MD5

    43cf5f9119cdd4c25d054bd50a6cbd45

  • SHA1

    746cb5255907823a966ca49a2e88284222cf99a6

  • SHA256

    58ccbb9c260814984edcc4b54de06a6f062e1b8abee2a4cb37b72e785bfcd985

  • SHA512

    48f7038b181e45a52ebb4a62225fb55e4d8c090e267637f49f18bd1a90bae6b458c0896ac76abfc3c3daf87fa4aac12a3f88ddaf511804a7cf923386470b4523

Malware Config

Extracted

Credentials

  • Protocol:
    smtp
  • Host:
    smtp.kindehome.com
  • Port:
    587
  • Username:
    whesilo@kindehome.com
  • Password:
    )lW@oiO8

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

Processes

  • C:\Users\Admin\AppData\Local\Temp\greattastesmb.ca_wp_content_plugins_duplicator_files_whe.exe.malw.exe
    "C:\Users\Admin\AppData\Local\Temp\greattastesmb.ca_wp_content_plugins_duplicator_files_whe.exe.malw.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious behavior: EnumeratesProcesses
    PID:1592

Network

MITRE ATT&CK Matrix ATT&CK v6

Credential Access

Credentials in Files

3
T1081

Collection

Data from Local System

3
T1005

Replay Monitor

Loading Replay Monitor...

Downloads