Analysis
-
max time kernel
111s -
max time network
118s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 07:14
Static task
static1
Behavioral task
behavioral1
Sample
4501307788.jpg.exe
Resource
win7
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
4501307788.jpg.exe
Resource
win10v200430
0 signatures
0 seconds
General
-
Target
4501307788.jpg.exe
-
Size
551KB
-
MD5
525ffc51861aa3e034a920675a3e0103
-
SHA1
5b9342b3934769dee07c5e1a56525aeea917e508
-
SHA256
aa47e9580c4ae0012ca77f96f5755ac49129566b7c9331b6d3749e96707f440c
-
SHA512
2643190ba8e5652e7e4b8a513ce93724bc54abdc195f5b537c9c9b3d3f82b883fc2f270d091ea05cda904505dedad415355f526c287705980f53f53edb3c9a6c
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
HYF76io83%$6
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/276-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/276-1-0x0000000000446DEE-mapping.dmp family_agenttesla behavioral1/memory/276-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/276-3-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HJdyTuap.exe 4501307788.jpg.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1508 set thread context of 276 1508 4501307788.jpg.exe 24 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 276 RegAsm.exe 276 RegAsm.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 1508 4501307788.jpg.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 276 RegAsm.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 276 RegAsm.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1508 wrote to memory of 276 1508 4501307788.jpg.exe 24 PID 1508 wrote to memory of 276 1508 4501307788.jpg.exe 24 PID 1508 wrote to memory of 276 1508 4501307788.jpg.exe 24 PID 1508 wrote to memory of 276 1508 4501307788.jpg.exe 24 PID 1508 wrote to memory of 276 1508 4501307788.jpg.exe 24 PID 1508 wrote to memory of 276 1508 4501307788.jpg.exe 24 PID 1508 wrote to memory of 276 1508 4501307788.jpg.exe 24 PID 1508 wrote to memory of 276 1508 4501307788.jpg.exe 24
Processes
-
C:\Users\Admin\AppData\Local\Temp\4501307788.jpg.exe"C:\Users\Admin\AppData\Local\Temp\4501307788.jpg.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:276
-