Analysis
-
max time kernel
88s -
max time network
117s -
platform
windows10_x64 -
resource
win10 -
submitted
09-07-2020 08:41
Static task
static1
Behavioral task
behavioral1
Sample
SCAN001.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
SCAN001.exe
Resource
win10
General
-
Target
SCAN001.exe
-
Size
519KB
-
MD5
2b636c590fae7253b6fcfba40c47e510
-
SHA1
e7786082a2faeb0368310e06ff117e9afa3c7638
-
SHA256
cc7970302efd5fe131f88c816525f4b898062cb96ee9e5c00de192298558c52c
-
SHA512
53c857093dd9aa86144a1845c976aa90354a0ec1030e2417cc06866c4ae1658b8e14a318fde711f89a826b92f5232169c5a862efe750c0aea6f13e57a8e53f9d
Malware Config
Extracted
Protocol: smtp- Host:
maff.ro - Port:
587 - Username:
[email protected] - Password:
Maff1234!@#$
Extracted
agenttesla
Protocol: smtp- Host:
maff.ro - Port:
587 - Username:
[email protected] - Password:
Maff1234!@#$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2540-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/2540-1-0x0000000000446CBE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
SCAN001.exedescription pid process target process PID 3700 set thread context of 2540 3700 SCAN001.exe SCAN001.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
SCAN001.exeSCAN001.exepid process 3700 SCAN001.exe 3700 SCAN001.exe 2540 SCAN001.exe 2540 SCAN001.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
SCAN001.exeSCAN001.exedescription pid process Token: SeDebugPrivilege 3700 SCAN001.exe Token: SeDebugPrivilege 2540 SCAN001.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
SCAN001.exepid process 2540 SCAN001.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
SCAN001.exedescription pid process target process PID 3700 wrote to memory of 3856 3700 SCAN001.exe SCAN001.exe PID 3700 wrote to memory of 3856 3700 SCAN001.exe SCAN001.exe PID 3700 wrote to memory of 3856 3700 SCAN001.exe SCAN001.exe PID 3700 wrote to memory of 2540 3700 SCAN001.exe SCAN001.exe PID 3700 wrote to memory of 2540 3700 SCAN001.exe SCAN001.exe PID 3700 wrote to memory of 2540 3700 SCAN001.exe SCAN001.exe PID 3700 wrote to memory of 2540 3700 SCAN001.exe SCAN001.exe PID 3700 wrote to memory of 2540 3700 SCAN001.exe SCAN001.exe PID 3700 wrote to memory of 2540 3700 SCAN001.exe SCAN001.exe PID 3700 wrote to memory of 2540 3700 SCAN001.exe SCAN001.exe PID 3700 wrote to memory of 2540 3700 SCAN001.exe SCAN001.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SCAN001.exe"C:\Users\Admin\AppData\Local\Temp\SCAN001.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Users\Admin\AppData\Local\Temp\SCAN001.exe"{path}"2⤵PID:3856
-
C:\Users\Admin\AppData\Local\Temp\SCAN001.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2540
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
ef140ef600b2463c9e7dbf064a104046
SHA1c08fd1853877be95575ea2e860dd8cafef31f54c
SHA256ad8ae97fdeb174b20f02c7ddf9466981856d77d51133599b5954f48f78a1b616
SHA512bf16df0994080bdc832cb39a312e0095de57608256fcf0d04d589e0bdf3283f918fb0d6ec86ea28a4b1af6db12813c52a724028f02330ebc3a9d32a4fcda706c