Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-07-2020 18:24
Static task
static1
Behavioral task
behavioral1
Sample
Disc FDBC 3660.exe
Resource
win7
Behavioral task
behavioral2
Sample
Disc FDBC 3660.exe
Resource
win10v200430
General
-
Target
Disc FDBC 3660.exe
-
Size
566KB
-
MD5
943270627e8eb4b1567dc76a6a9196fc
-
SHA1
592dc27309861b4ef99e122fe63293010dc7d812
-
SHA256
5a31aebe8d849348df31616a406d024dfc43a6c39187640d05c06f4a4d72887b
-
SHA512
bbdd498ad4e43372706acb94e9a780114ee85cd86172da9194e8710a8083663268ef2b878f3fe1b089330a386d648b76446d07dcea4b0df8062ccc7300f3d9ab
Malware Config
Extracted
Protocol: smtp- Host:
mail.coolgirlsnation.com - Port:
25 - Username:
[email protected] - Password:
Qwerty123@
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Disc FDBC 3660.exepid Process 2460 Disc FDBC 3660.exe 2460 Disc FDBC 3660.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Disc FDBC 3660.exepid Process 2460 Disc FDBC 3660.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Disc FDBC 3660.exedescription pid Process procid_target PID 3008 wrote to memory of 2460 3008 Disc FDBC 3660.exe 71 PID 3008 wrote to memory of 2460 3008 Disc FDBC 3660.exe 71 PID 3008 wrote to memory of 2460 3008 Disc FDBC 3660.exe 71 PID 3008 wrote to memory of 2460 3008 Disc FDBC 3660.exe 71 PID 3008 wrote to memory of 2460 3008 Disc FDBC 3660.exe 71 PID 3008 wrote to memory of 2460 3008 Disc FDBC 3660.exe 71 PID 3008 wrote to memory of 2460 3008 Disc FDBC 3660.exe 71 PID 3008 wrote to memory of 2460 3008 Disc FDBC 3660.exe 71 -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Disc FDBC 3660.exedescription pid Process procid_target PID 3008 set thread context of 2460 3008 Disc FDBC 3660.exe 71 -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Disc FDBC 3660.exedescription pid Process Token: SeDebugPrivilege 2460 Disc FDBC 3660.exe -
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Disc FDBC 3660.exe"C:\Users\Admin\AppData\Local\Temp\Disc FDBC 3660.exe"1⤵
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\Disc FDBC 3660.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of AdjustPrivilegeToken
PID:2460
-