Analysis
-
max time kernel
74s -
max time network
66s -
platform
windows7_x64 -
resource
win7 -
submitted
08-07-2020 10:25
Static task
static1
Behavioral task
behavioral1
Sample
PO345678.exe
Resource
win7
Behavioral task
behavioral2
Sample
PO345678.exe
Resource
win10v200430
General
-
Target
PO345678.exe
-
Size
883KB
-
MD5
49176bcb0b146d290d9a02e78b57d4df
-
SHA1
aa04d97bfbe65b9cbce4ffe9488df2f25b3b91e5
-
SHA256
943cfd0d793dc383dfa4672bf1d2b6b67d4e4dd75b3de9fefcbbdf1f33027f8c
-
SHA512
9c3ca652ba81e748e7499934494acce2bbd3f36968423098c71f23223c3ff430c658ac8214ebbd2ac987267e29e3f5997b5f97121511e55ae463e2ccd24ce565
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ikem123456789
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1476-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1476-1-0x0000000000446A4E-mapping.dmp family_agenttesla behavioral1/memory/1476-3-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1476-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
PO345678.exedescription pid process target process PID 1340 set thread context of 1476 1340 PO345678.exe PO345678.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
PO345678.exepid process 1476 PO345678.exe 1476 PO345678.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
PO345678.exedescription pid process Token: SeDebugPrivilege 1476 PO345678.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
PO345678.exedescription pid process target process PID 1340 wrote to memory of 1476 1340 PO345678.exe PO345678.exe PID 1340 wrote to memory of 1476 1340 PO345678.exe PO345678.exe PID 1340 wrote to memory of 1476 1340 PO345678.exe PO345678.exe PID 1340 wrote to memory of 1476 1340 PO345678.exe PO345678.exe PID 1340 wrote to memory of 1476 1340 PO345678.exe PO345678.exe PID 1340 wrote to memory of 1476 1340 PO345678.exe PO345678.exe PID 1340 wrote to memory of 1476 1340 PO345678.exe PO345678.exe PID 1340 wrote to memory of 1476 1340 PO345678.exe PO345678.exe PID 1340 wrote to memory of 1476 1340 PO345678.exe PO345678.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\PO345678.exe"C:\Users\Admin\AppData\Local\Temp\PO345678.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Users\Admin\AppData\Local\Temp\PO345678.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1476