Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
08/07/2020, 12:44
General
-
Target
greattastesmb.ca_wp_content_plugins_duplicator_files_thai.exe.malw.exe
-
Size
277KB
-
MD5
9a3f655d4e43807eeeefd64a75d4d018
-
SHA1
c697914759dd9e5a3b80c47a5d4fa584be4af54c
-
SHA256
89e3a0f67fa4de572c497739e85e28208077b72fbfa6b02aac1937071f940b6b
-
SHA512
135cccb48b3e4bef652da35c708a17a956648e074c4bcd1ad5d23bbf7e92dda4185c95c707d98f954f37d909d2a25a250a4ebd379f25ecb022a44b7d0bc92ffc
Score
10/10
Malware Config
Extracted
Credentials
Protocol: smtp- Host:
terminal6.veeblehosting.com - Port:
587 - Username:
[email protected] - Password:
9&QpI_d,CB1N
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\greattastesmb.ca_wp_content_plugins_duplicator_files_thai.exe.malw.exe"C:\Users\Admin\AppData\Local\Temp\greattastesmb.ca_wp_content_plugins_duplicator_files_thai.exe.malw.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken