Analysis
-
max time kernel
91s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-07-2020 07:06
Static task
static1
Behavioral task
behavioral1
Sample
WT0045679.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
WT0045679.exe
Resource
win10
General
-
Target
WT0045679.exe
-
Size
428KB
-
MD5
8b721799c0f207360c4077fe7a3a1c24
-
SHA1
6574355e2c48b72c2ab2e4476e4168602f4c2b65
-
SHA256
de638d68163fe7f49b3371adbe9456b2c2ed2ef5182324e768dc42793591c7de
-
SHA512
80fb3644df03c06296a865128d021ec9c7258e39d40d986e53f611402173c3972add21f49013ac1c82d159e7bb473e8e3ea8c2b71b34a8c9efe0078712a32eaa
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
o~02Bx@Odn{r
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/1868-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1868-3-0x0000000000446F1E-mapping.dmp family_agenttesla behavioral1/memory/1868-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1868-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\newApp = "C:\\Users\\Admin\\AppData\\Roaming\\newApp\\newApp.exe" WT0045679.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1500 set thread context of 1868 1500 WT0045679.exe 30 -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 1500 WT0045679.exe 1500 WT0045679.exe 1500 WT0045679.exe 1500 WT0045679.exe 1500 WT0045679.exe 1500 WT0045679.exe 1500 WT0045679.exe 1500 WT0045679.exe 1500 WT0045679.exe 1868 WT0045679.exe 1868 WT0045679.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1500 WT0045679.exe Token: SeDebugPrivilege 1868 WT0045679.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1500 wrote to memory of 1836 1500 WT0045679.exe 26 PID 1500 wrote to memory of 1836 1500 WT0045679.exe 26 PID 1500 wrote to memory of 1836 1500 WT0045679.exe 26 PID 1500 wrote to memory of 1836 1500 WT0045679.exe 26 PID 1500 wrote to memory of 1860 1500 WT0045679.exe 27 PID 1500 wrote to memory of 1860 1500 WT0045679.exe 27 PID 1500 wrote to memory of 1860 1500 WT0045679.exe 27 PID 1500 wrote to memory of 1860 1500 WT0045679.exe 27 PID 1500 wrote to memory of 1852 1500 WT0045679.exe 28 PID 1500 wrote to memory of 1852 1500 WT0045679.exe 28 PID 1500 wrote to memory of 1852 1500 WT0045679.exe 28 PID 1500 wrote to memory of 1852 1500 WT0045679.exe 28 PID 1500 wrote to memory of 1876 1500 WT0045679.exe 29 PID 1500 wrote to memory of 1876 1500 WT0045679.exe 29 PID 1500 wrote to memory of 1876 1500 WT0045679.exe 29 PID 1500 wrote to memory of 1876 1500 WT0045679.exe 29 PID 1500 wrote to memory of 1868 1500 WT0045679.exe 30 PID 1500 wrote to memory of 1868 1500 WT0045679.exe 30 PID 1500 wrote to memory of 1868 1500 WT0045679.exe 30 PID 1500 wrote to memory of 1868 1500 WT0045679.exe 30 PID 1500 wrote to memory of 1868 1500 WT0045679.exe 30 PID 1500 wrote to memory of 1868 1500 WT0045679.exe 30 PID 1500 wrote to memory of 1868 1500 WT0045679.exe 30 PID 1500 wrote to memory of 1868 1500 WT0045679.exe 30 PID 1500 wrote to memory of 1868 1500 WT0045679.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\WT0045679.exe"C:\Users\Admin\AppData\Local\Temp\WT0045679.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\WT0045679.exe"{path}"2⤵PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\WT0045679.exe"{path}"2⤵PID:1860
-
-
C:\Users\Admin\AppData\Local\Temp\WT0045679.exe"{path}"2⤵PID:1852
-
-
C:\Users\Admin\AppData\Local\Temp\WT0045679.exe"{path}"2⤵PID:1876
-
-
C:\Users\Admin\AppData\Local\Temp\WT0045679.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1868
-