Analysis
-
max time kernel
84s -
max time network
61s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 17:49
Static task
static1
Behavioral task
behavioral1
Sample
Prueba de pago.exe
Resource
win7
Behavioral task
behavioral2
Sample
Prueba de pago.exe
Resource
win10
General
-
Target
Prueba de pago.exe
-
Size
622KB
-
MD5
fb739af6dbe47cb7c5cdd1ebde656bcf
-
SHA1
b098b560be9aababae267c4643cc61639d1f8425
-
SHA256
1237b8ef1ef28e7481b47113c644429a68c87858cc5ee8a020607f75696863d1
-
SHA512
2309409d0f6e93740868ecbfaf1c5ff67c507b7d844750145873e0033c8c224f18c35597c12de056fcf22791194c024026766fee425e3642a96aede22ca7d6e7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
babacj1234567890
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1476-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1476-3-0x0000000000446D8E-mapping.dmp family_agenttesla behavioral1/memory/1476-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1476-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Prueba de pago.exedescription pid process target process PID 1108 set thread context of 1476 1108 Prueba de pago.exe Prueba de pago.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Prueba de pago.exepid process 1476 Prueba de pago.exe 1476 Prueba de pago.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Prueba de pago.exedescription pid process Token: SeDebugPrivilege 1476 Prueba de pago.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Prueba de pago.exepid process 1476 Prueba de pago.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Prueba de pago.exedescription pid process target process PID 1108 wrote to memory of 1476 1108 Prueba de pago.exe Prueba de pago.exe PID 1108 wrote to memory of 1476 1108 Prueba de pago.exe Prueba de pago.exe PID 1108 wrote to memory of 1476 1108 Prueba de pago.exe Prueba de pago.exe PID 1108 wrote to memory of 1476 1108 Prueba de pago.exe Prueba de pago.exe PID 1108 wrote to memory of 1476 1108 Prueba de pago.exe Prueba de pago.exe PID 1108 wrote to memory of 1476 1108 Prueba de pago.exe Prueba de pago.exe PID 1108 wrote to memory of 1476 1108 Prueba de pago.exe Prueba de pago.exe PID 1108 wrote to memory of 1476 1108 Prueba de pago.exe Prueba de pago.exe PID 1108 wrote to memory of 1476 1108 Prueba de pago.exe Prueba de pago.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Prueba de pago.exe"C:\Users\Admin\AppData\Local\Temp\Prueba de pago.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Prueba de pago.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1476-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1476-3-0x0000000000446D8E-mapping.dmp
-
memory/1476-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1476-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB