Analysis
-
max time kernel
90s -
max time network
83s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
09-07-2020 07:37
Static task
static1
Behavioral task
behavioral1
Sample
Quotation Bailey Trading.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Quotation Bailey Trading.exe
Resource
win10
General
-
Target
Quotation Bailey Trading.exe
-
Size
490KB
-
MD5
45ed49bc00c8352417d38b274a09e3a0
-
SHA1
2b5b5dec00fa95cc35ce534eb9375afd26a0c1ad
-
SHA256
07c711fae257407249a60f7f55cdf1125d76431ce6bbc6e25313c06af4a9f101
-
SHA512
5de0c47912de38f415bdc533b569db98f5bfb3e885cad384010ba5b4805262ceaa255e6045b052c816822acf19cb47b386d4ee08be858a8a2442f3f3f5ea7142
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.pierreinsurancebrokers.com - Port:
587 - Username:
[email protected] - Password:
advisor@1234
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1812-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1812-3-0x0000000000446C5E-mapping.dmp family_agenttesla behavioral1/memory/1812-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1812-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Quotation Bailey Trading.exedescription pid process target process PID 892 set thread context of 1812 892 Quotation Bailey Trading.exe Quotation Bailey Trading.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Quotation Bailey Trading.exepid process 1812 Quotation Bailey Trading.exe 1812 Quotation Bailey Trading.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Quotation Bailey Trading.exedescription pid process Token: SeDebugPrivilege 1812 Quotation Bailey Trading.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Quotation Bailey Trading.exedescription pid process target process PID 892 wrote to memory of 1336 892 Quotation Bailey Trading.exe schtasks.exe PID 892 wrote to memory of 1336 892 Quotation Bailey Trading.exe schtasks.exe PID 892 wrote to memory of 1336 892 Quotation Bailey Trading.exe schtasks.exe PID 892 wrote to memory of 1336 892 Quotation Bailey Trading.exe schtasks.exe PID 892 wrote to memory of 1812 892 Quotation Bailey Trading.exe Quotation Bailey Trading.exe PID 892 wrote to memory of 1812 892 Quotation Bailey Trading.exe Quotation Bailey Trading.exe PID 892 wrote to memory of 1812 892 Quotation Bailey Trading.exe Quotation Bailey Trading.exe PID 892 wrote to memory of 1812 892 Quotation Bailey Trading.exe Quotation Bailey Trading.exe PID 892 wrote to memory of 1812 892 Quotation Bailey Trading.exe Quotation Bailey Trading.exe PID 892 wrote to memory of 1812 892 Quotation Bailey Trading.exe Quotation Bailey Trading.exe PID 892 wrote to memory of 1812 892 Quotation Bailey Trading.exe Quotation Bailey Trading.exe PID 892 wrote to memory of 1812 892 Quotation Bailey Trading.exe Quotation Bailey Trading.exe PID 892 wrote to memory of 1812 892 Quotation Bailey Trading.exe Quotation Bailey Trading.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Quotation Bailey Trading.exe"C:\Users\Admin\AppData\Local\Temp\Quotation Bailey Trading.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EosAecC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD68.tmp"2⤵
- Creates scheduled task(s)
PID:1336 -
C:\Users\Admin\AppData\Local\Temp\Quotation Bailey Trading.exe"C:\Users\Admin\AppData\Local\Temp\Quotation Bailey Trading.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1812
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
8ab7e9d4e4a73fbe46465f080bc4d4dd
SHA161d7fb1aaa4b872deee4ea9c09087847d500f33c
SHA2567b941e45d2fa946ff984a5e9bcdbad92fd2a62a1ff343c122b9836bbf3f5ce95
SHA512e4732dfdeb4355d814b5a25b5440bd051cb065e9ec03c1272d0cdebc2dc01c4b23d72005bc9fa1c8791d30a035b25d773a60318f334579072f4887012ec3bed8