Analysis
-
max time kernel
54s -
max time network
67s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 05:02
Static task
static1
Behavioral task
behavioral1
Sample
BL Draft Copy.pdf.exe
Resource
win7
General
-
Target
BL Draft Copy.pdf.exe
-
Size
812KB
-
MD5
885900056abb5f0a362211a230daa1a4
-
SHA1
21a62f068a4c37bbda0dde995a5ce6ce804da9d6
-
SHA256
2b959630e96963b865a8f048f31385980d0f2aabb02846cc349278489dcf72b3
-
SHA512
8e6060b76b669cfda83460479a434229aa8f3a164618c5e1b572f4d7f6ad07001bb43bc374d34284d9f968665699fa1032473c523d58382fa76fb78c7c0703c6
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.mail.ru - Port:
587 - Username:
[email protected] - Password:
kalinin5
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1796-1-0x00000000004A24B0-mapping.dmp family_agenttesla behavioral1/memory/1796-3-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral1/memory/1796-4-0x00000000002C0000-0x000000000030C000-memory.dmp family_agenttesla behavioral1/memory/1796-6-0x0000000000220000-0x0000000000266000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1796-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1796-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1796-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
BL Draft Copy.pdf.exedescription pid process target process PID 1684 set thread context of 1796 1684 BL Draft Copy.pdf.exe BL Draft Copy.pdf.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
BL Draft Copy.pdf.exeBL Draft Copy.pdf.exepid process 1684 BL Draft Copy.pdf.exe 1796 BL Draft Copy.pdf.exe 1796 BL Draft Copy.pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
BL Draft Copy.pdf.exepid process 1684 BL Draft Copy.pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
BL Draft Copy.pdf.exedescription pid process Token: SeDebugPrivilege 1796 BL Draft Copy.pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
BL Draft Copy.pdf.exedescription pid process target process PID 1684 wrote to memory of 1796 1684 BL Draft Copy.pdf.exe BL Draft Copy.pdf.exe PID 1684 wrote to memory of 1796 1684 BL Draft Copy.pdf.exe BL Draft Copy.pdf.exe PID 1684 wrote to memory of 1796 1684 BL Draft Copy.pdf.exe BL Draft Copy.pdf.exe PID 1684 wrote to memory of 1796 1684 BL Draft Copy.pdf.exe BL Draft Copy.pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\BL Draft Copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\BL Draft Copy.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Users\Admin\AppData\Local\Temp\BL Draft Copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\BL Draft Copy.pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1796