Analysis
-
max time kernel
140s -
max time network
141s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 12:36
Static task
static1
Behavioral task
behavioral1
Sample
AT.exe
Resource
win7v200430
General
-
Target
AT.exe
-
Size
672KB
-
MD5
713f89671daa7b8a669b72f0df80c662
-
SHA1
e6a6c838588c62a1ed199f3ac580bad225b60ced
-
SHA256
faba6cc8e2795ec5c1f2a44829767bad991892d00c8c3374cc8723f15402e97c
-
SHA512
5fbc5f60edd8fcaf7cae1a437a8bbb7511d41356406279987adc9b860148535c8b55822d64b137112f624b017b7e72fda02142c34c9e302f632ea665fbd48582
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.halalemporda.com - Port:
587 - Username:
[email protected] - Password:
Hmmf@2020
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/3840-1-0x00000000004A2800-mapping.dmp family_agenttesla behavioral2/memory/3840-4-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral2/memory/3840-5-0x00000000021A0000-0x00000000021EC000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/3840-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3840-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3840-4-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
AT.exedescription pid process target process PID 720 set thread context of 3840 720 AT.exe AT.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
AT.exeAT.exepid process 720 AT.exe 720 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe 3008 AT.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
AT.exepid process 720 AT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
AT.exedescription pid process Token: SeDebugPrivilege 3840 AT.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
AT.exedescription pid process target process PID 720 wrote to memory of 3840 720 AT.exe AT.exe PID 720 wrote to memory of 3840 720 AT.exe AT.exe PID 720 wrote to memory of 3840 720 AT.exe AT.exe PID 720 wrote to memory of 3008 720 AT.exe AT.exe PID 720 wrote to memory of 3008 720 AT.exe AT.exe PID 720 wrote to memory of 3008 720 AT.exe AT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AT.exe"C:\Users\Admin\AppData\Local\Temp\AT.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:720 -
C:\Users\Admin\AppData\Local\Temp\AT.exe"C:\Users\Admin\AppData\Local\Temp\AT.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3840 -
C:\Users\Admin\AppData\Local\Temp\AT.exe"C:\Users\Admin\AppData\Local\Temp\AT.exe" 2 3840 549532⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008