Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 10:20
Static task
static1
Behavioral task
behavioral1
Sample
Ticari Hesap Özetiniz.exe
Resource
win7
General
-
Target
Ticari Hesap Özetiniz.exe
-
Size
859KB
-
MD5
65d91afd6d190c5dfccd0c4b2faa7f76
-
SHA1
27be872b98d82b2c97616276b246cb3a4a71a27e
-
SHA256
14a6748757c109080de791b34d158b8e1e7b99831d64bde4d901f5f4ef0a4c20
-
SHA512
b86c50da567fdf2ab71c958a458b9f21076b742999f2459fb735ef2e453b64a5611272acfcdac5d89dad389f37d5d7f585bcc4a01a13b0e13c9c89f33658376f
Malware Config
Extracted
Protocol: smtp- Host:
mail.hospitalveterinariosur.com - Port:
587 - Username:
[email protected] - Password:
HospitalVeterinarioAlSur2018
Extracted
agenttesla
Protocol: smtp- Host:
mail.hospitalveterinariosur.com - Port:
587 - Username:
[email protected] - Password:
HospitalVeterinarioAlSur2018
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2536-4-0x0000000000400000-0x00000000004B0000-memory.dmp family_agenttesla behavioral2/memory/2536-5-0x00000000021C0000-0x0000000002212000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/2536-0-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral2/memory/2536-3-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral2/memory/2536-4-0x0000000000400000-0x00000000004B0000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Ticari Hesap Özetiniz.exedescription pid process target process PID 3812 set thread context of 2536 3812 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
Ticari Hesap Özetiniz.exeTicari Hesap Özetiniz.exeTicari Hesap Özetiniz.exepid process 3812 Ticari Hesap Özetiniz.exe 3812 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 3944 Ticari Hesap Özetiniz.exe 2536 Ticari Hesap Özetiniz.exe 2536 Ticari Hesap Özetiniz.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Ticari Hesap Özetiniz.exepid process 3812 Ticari Hesap Özetiniz.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Ticari Hesap Özetiniz.exedescription pid process Token: SeDebugPrivilege 2536 Ticari Hesap Özetiniz.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Ticari Hesap Özetiniz.exeTicari Hesap Özetiniz.exedescription pid process target process PID 3812 wrote to memory of 2536 3812 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 3812 wrote to memory of 2536 3812 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 3812 wrote to memory of 2536 3812 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 3812 wrote to memory of 3944 3812 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 3812 wrote to memory of 3944 3812 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 3812 wrote to memory of 3944 3812 Ticari Hesap Özetiniz.exe Ticari Hesap Özetiniz.exe PID 2536 wrote to memory of 3852 2536 Ticari Hesap Özetiniz.exe netsh.exe PID 2536 wrote to memory of 3852 2536 Ticari Hesap Özetiniz.exe netsh.exe PID 2536 wrote to memory of 3852 2536 Ticari Hesap Özetiniz.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3812 -
C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:3852
-
C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe"C:\Users\Admin\AppData\Local\Temp\Ticari Hesap Özetiniz.exe" 2 2536 994062⤵
- Suspicious behavior: EnumeratesProcesses
PID:3944