Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
09-07-2020 12:06
Static task
static1
Behavioral task
behavioral1
Sample
shine.exe
Resource
win7
General
-
Target
shine.exe
-
Size
807KB
-
MD5
44c42eb64ce79f148d0c66afb67092bb
-
SHA1
f4b1933b1ad9bd261a0d657e3a2a167ef2dadaab
-
SHA256
c9fbaba2cece9a148814fc244e4975de08a58d5fc1ccab3132a29748d8e863e2
-
SHA512
c03fdaa51273af710200c7ec7e39b1048bee095ce2513721b0b721e9a6a2c808843f162fa3fda95e2db3729e1702b599a608c8cdc13da4f7b3b24b8505d5897a
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.serviciocitroen.com - Port:
587 - Username:
[email protected] - Password:
FXO]%cdB8gx-
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2484-3-0x0000000000400000-0x00000000004A5000-memory.dmp family_agenttesla behavioral2/memory/2484-4-0x0000000002140000-0x000000000218C000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/2484-0-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral2/memory/2484-2-0x0000000000400000-0x00000000004A5000-memory.dmp upx behavioral2/memory/2484-3-0x0000000000400000-0x00000000004A5000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
shine.exedescription pid process target process PID 2104 set thread context of 2484 2104 shine.exe shine.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
shine.exeshine.exepid process 2104 shine.exe 2104 shine.exe 2484 shine.exe 2484 shine.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
shine.exepid process 2104 shine.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
shine.exedescription pid process Token: SeDebugPrivilege 2484 shine.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
shine.exedescription pid process target process PID 2104 wrote to memory of 2484 2104 shine.exe shine.exe PID 2104 wrote to memory of 2484 2104 shine.exe shine.exe PID 2104 wrote to memory of 2484 2104 shine.exe shine.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shine.exe"C:\Users\Admin\AppData\Local\Temp\shine.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\shine.exe"C:\Users\Admin\AppData\Local\Temp\shine.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484