Analysis
-
max time kernel
147s -
max time network
6s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08-07-2020 07:09
Static task
static1
Behavioral task
behavioral1
Sample
ejinewcrypt.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
ejinewcrypt.exe
Resource
win10
General
-
Target
ejinewcrypt.exe
-
Size
713KB
-
MD5
13c7191ab2781a2d225665a4c1b23b17
-
SHA1
89d584fa1b31d8fc00c35fe73de89058dd79ec2c
-
SHA256
50e017de70cd0bbf71b8f4e687d56b796cd355b38c30076c7769d8b0b8562449
-
SHA512
96541683f67c11f33ce7f3c8674c84ef866c7c71558fab546a6c98662b59e1f012d36bfcec510897cb8d618ad74bb46489ba77f397e07ad6a952971be0df95d3
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.dogaseed.com - Port:
587 - Username:
[email protected] - Password:
Doga_2017*
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/1032-1-0x00000000004AE360-mapping.dmp family_agenttesla behavioral1/memory/1032-3-0x0000000000400000-0x00000000004B0000-memory.dmp family_agenttesla behavioral1/memory/1032-4-0x00000000004B0000-0x0000000000502000-memory.dmp family_agenttesla behavioral1/memory/1032-6-0x00000000002B0000-0x00000000002FC000-memory.dmp family_agenttesla -
resource yara_rule behavioral1/memory/1032-0-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral1/memory/1032-2-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral1/memory/1032-3-0x0000000000400000-0x00000000004B0000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\CFMBUF = "C:\\Users\\Admin\\AppData\\Roaming\\CFMBUF\\CFMBUF.exe" ejinewcrypt.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 288 set thread context of 1032 288 ejinewcrypt.exe 24 -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 288 ejinewcrypt.exe 1032 ejinewcrypt.exe 1032 ejinewcrypt.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 288 ejinewcrypt.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1032 ejinewcrypt.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 288 wrote to memory of 1032 288 ejinewcrypt.exe 24 PID 288 wrote to memory of 1032 288 ejinewcrypt.exe 24 PID 288 wrote to memory of 1032 288 ejinewcrypt.exe 24 PID 288 wrote to memory of 1032 288 ejinewcrypt.exe 24 PID 1032 wrote to memory of 1084 1032 ejinewcrypt.exe 28 PID 1032 wrote to memory of 1084 1032 ejinewcrypt.exe 28 PID 1032 wrote to memory of 1084 1032 ejinewcrypt.exe 28 PID 1032 wrote to memory of 1084 1032 ejinewcrypt.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\ejinewcrypt.exe"C:\Users\Admin\AppData\Local\Temp\ejinewcrypt.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:288 -
C:\Users\Admin\AppData\Local\Temp\ejinewcrypt.exe"C:\Users\Admin\AppData\Local\Temp\ejinewcrypt.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1032 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:1084
-
-