Analysis

  • max time kernel
    91s
  • max time network
    37s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    10-07-2020 07:06

General

  • Target

    WT0045679.exe

  • Size

    428KB

  • MD5

    8b721799c0f207360c4077fe7a3a1c24

  • SHA1

    6574355e2c48b72c2ab2e4476e4168602f4c2b65

  • SHA256

    de638d68163fe7f49b3371adbe9456b2c2ed2ef5182324e768dc42793591c7de

  • SHA512

    80fb3644df03c06296a865128d021ec9c7258e39d40d986e53f611402173c3972add21f49013ac1c82d159e7bb473e8e3ea8c2b71b34a8c9efe0078712a32eaa

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    us2.smtp.mailhostbox.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    o~02Bx@Odn{r

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\WT0045679.exe
    "C:\Users\Admin\AppData\Local\Temp\WT0045679.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1500
    • C:\Users\Admin\AppData\Local\Temp\WT0045679.exe
      "{path}"
      2⤵
        PID:1836
      • C:\Users\Admin\AppData\Local\Temp\WT0045679.exe
        "{path}"
        2⤵
          PID:1860
        • C:\Users\Admin\AppData\Local\Temp\WT0045679.exe
          "{path}"
          2⤵
            PID:1852
          • C:\Users\Admin\AppData\Local\Temp\WT0045679.exe
            "{path}"
            2⤵
              PID:1876
            • C:\Users\Admin\AppData\Local\Temp\WT0045679.exe
              "{path}"
              2⤵
              • Adds Run key to start application
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:1868

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1500-1-0x0000000000000000-0x0000000000000000-disk.dmp

          • memory/1868-2-0x0000000000400000-0x000000000044C000-memory.dmp

            Filesize

            304KB

          • memory/1868-3-0x0000000000446F1E-mapping.dmp

          • memory/1868-4-0x0000000000400000-0x000000000044C000-memory.dmp

            Filesize

            304KB

          • memory/1868-5-0x0000000000400000-0x000000000044C000-memory.dmp

            Filesize

            304KB