Analysis

  • max time kernel
    90s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    09-07-2020 07:37

General

  • Target

    Quotation Bailey Trading.exe

  • Size

    490KB

  • MD5

    45ed49bc00c8352417d38b274a09e3a0

  • SHA1

    2b5b5dec00fa95cc35ce534eb9375afd26a0c1ad

  • SHA256

    07c711fae257407249a60f7f55cdf1125d76431ce6bbc6e25313c06af4a9f101

  • SHA512

    5de0c47912de38f415bdc533b569db98f5bfb3e885cad384010ba5b4805262ceaa255e6045b052c816822acf19cb47b386d4ee08be858a8a2442f3f3f5ea7142

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.pierreinsurancebrokers.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    advisor@1234

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Quotation Bailey Trading.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation Bailey Trading.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:892
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EosAecC" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD68.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1336
    • C:\Users\Admin\AppData\Local\Temp\Quotation Bailey Trading.exe
      "C:\Users\Admin\AppData\Local\Temp\Quotation Bailey Trading.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1812

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD68.tmp

    MD5

    8ab7e9d4e4a73fbe46465f080bc4d4dd

    SHA1

    61d7fb1aaa4b872deee4ea9c09087847d500f33c

    SHA256

    7b941e45d2fa946ff984a5e9bcdbad92fd2a62a1ff343c122b9836bbf3f5ce95

    SHA512

    e4732dfdeb4355d814b5a25b5440bd051cb065e9ec03c1272d0cdebc2dc01c4b23d72005bc9fa1c8791d30a035b25d773a60318f334579072f4887012ec3bed8

  • memory/1336-0-0x0000000000000000-mapping.dmp

  • memory/1812-2-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

  • memory/1812-3-0x0000000000446C5E-mapping.dmp

  • memory/1812-4-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB

  • memory/1812-5-0x0000000000400000-0x000000000044C000-memory.dmp

    Filesize

    304KB