Analysis
-
max time kernel
117s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 10:20
Static task
static1
Behavioral task
behavioral1
Sample
Ticari Hesap Özetiniz.exe
Resource
win7
General
-
Target
Ticari Hesap Özetiniz.exe
-
Size
859KB
-
MD5
65d91afd6d190c5dfccd0c4b2faa7f76
-
SHA1
27be872b98d82b2c97616276b246cb3a4a71a27e
-
SHA256
14a6748757c109080de791b34d158b8e1e7b99831d64bde4d901f5f4ef0a4c20
-
SHA512
b86c50da567fdf2ab71c958a458b9f21076b742999f2459fb735ef2e453b64a5611272acfcdac5d89dad389f37d5d7f585bcc4a01a13b0e13c9c89f33658376f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.hospitalveterinariosur.com - Port:
587 - Username:
[email protected] - Password:
HospitalVeterinarioAlSur2018
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1552-1-0x00000000004AE050-mapping.dmp family_agenttesla behavioral1/memory/1552-4-0x0000000000400000-0x00000000004B0000-memory.dmp family_agenttesla behavioral1/memory/1552-5-0x0000000000380000-0x00000000003D2000-memory.dmp family_agenttesla behavioral1/memory/1552-7-0x0000000000220000-0x000000000026C000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1552-0-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral1/memory/1552-3-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral1/memory/1552-4-0x0000000000400000-0x00000000004B0000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ticari Hesap Özetiniz.exedescription pid process target process PID 1464 set thread context of 1552 1464 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
Ticari Hesap Özetiniz.exeTicari Hesap Özetiniz.exeTicari Hesap Özetiniz.exepid process 1464 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1016 Ticari Hesap Özetiniz.exe 1552 Ticari Hesap Özetiniz.exe 1552 Ticari Hesap Özetiniz.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Ticari Hesap Özetiniz.exepid process 1464 Ticari Hesap Özetiniz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Ticari Hesap Özetiniz.exedescription pid process Token: SeDebugPrivilege 1552 Ticari Hesap Özetiniz.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Ticari Hesap Özetiniz.exeTicari Hesap Özetiniz.exedescription pid process target process PID 1464 wrote to memory of 1552 1464 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 1464 wrote to memory of 1552 1464 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 1464 wrote to memory of 1552 1464 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 1464 wrote to memory of 1552 1464 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 1464 wrote to memory of 1016 1464 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 1464 wrote to memory of 1016 1464 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 1464 wrote to memory of 1016 1464 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 1464 wrote to memory of 1016 1464 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 1552 wrote to memory of 1764 1552 Ticari Hesap Özetiniz.exe netsh.exe PID 1552 wrote to memory of 1764 1552 Ticari Hesap Özetiniz.exe netsh.exe PID 1552 wrote to memory of 1764 1552 Ticari Hesap Özetiniz.exe netsh.exe PID 1552 wrote to memory of 1764 1552 Ticari Hesap Özetiniz.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1552 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:1764
-
C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe" 2 1552 668932⤵
- Suspicious behavior: EnumeratesProcesses
PID:1016