Analysis
-
max time kernel
84s -
max time network
53s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 05:08
General
-
Target
invoice copy.pdf.exe
-
Size
555KB
-
MD5
08da5cb8effb83a1bfc20d4211960ddb
-
SHA1
48e27634adf28e5f88484d4a9b51613f01263d16
-
SHA256
963187e0780a5447539322536555e2e3898d85dfb6762e6f63d2bc634d6fa6c7
-
SHA512
321264e2615098be16f79206997a29087a495d4c1e351b495fed9cf83672fc1f9e304f4aa0fe3f0b247f23627eea0380961201bf9cbf1f0ef6ae57570f148a28
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
chibuikelightwork1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\invoice copy.pdf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
304KB
-
-
Filesize
304KB
-
Filesize
304KB