Analysis
-
max time kernel
130s -
max time network
137s -
platform
windows7_x64 -
resource
win7 -
submitted
10-07-2020 11:20
Static task
static1
Behavioral task
behavioral1
Sample
Document din 40-312296854.exe
Resource
win7
Behavioral task
behavioral2
Sample
Document din 40-312296854.exe
Resource
win10v200430
General
-
Target
Document din 40-312296854.exe
-
Size
437KB
-
MD5
961b7aea9625d6a84e06f18afd8f4027
-
SHA1
59585bd71bcf196b794b6503fddc43405f9dedcf
-
SHA256
84f7bbb691b431355264cf4e815bf32281c00efe34805b47b7e8aef84fbe610e
-
SHA512
907dd33d077919f84fbf0721770bd708b10b9503bd0ff1ae684ba9c46d3eac7aa9f4c59d4bdb71df97068dd8de1c73a0a37858825447af905b8dceb596a607d9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.mlibano.com.br - Port:
587 - Username:
[email protected] - Password:
libano@2017
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/1632-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1632-5-0x0000000000447E8E-mapping.dmp family_agenttesla behavioral1/memory/1632-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1632-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1072 set thread context of 1632 1072 Document din 40-312296854.exe 26 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1452 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1632 Document din 40-312296854.exe 1632 Document din 40-312296854.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1632 Document din 40-312296854.exe -
Suspicious use of WriteProcessMemory 13 IoCs
description pid Process procid_target PID 1072 wrote to memory of 1452 1072 Document din 40-312296854.exe 24 PID 1072 wrote to memory of 1452 1072 Document din 40-312296854.exe 24 PID 1072 wrote to memory of 1452 1072 Document din 40-312296854.exe 24 PID 1072 wrote to memory of 1452 1072 Document din 40-312296854.exe 24 PID 1072 wrote to memory of 1632 1072 Document din 40-312296854.exe 26 PID 1072 wrote to memory of 1632 1072 Document din 40-312296854.exe 26 PID 1072 wrote to memory of 1632 1072 Document din 40-312296854.exe 26 PID 1072 wrote to memory of 1632 1072 Document din 40-312296854.exe 26 PID 1072 wrote to memory of 1632 1072 Document din 40-312296854.exe 26 PID 1072 wrote to memory of 1632 1072 Document din 40-312296854.exe 26 PID 1072 wrote to memory of 1632 1072 Document din 40-312296854.exe 26 PID 1072 wrote to memory of 1632 1072 Document din 40-312296854.exe 26 PID 1072 wrote to memory of 1632 1072 Document din 40-312296854.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\Document din 40-312296854.exe"C:\Users\Admin\AppData\Local\Temp\Document din 40-312296854.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1072 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VEETrpvqChgwu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp83A0.tmp"2⤵
- Creates scheduled task(s)
PID:1452
-
-
C:\Users\Admin\AppData\Local\Temp\Document din 40-312296854.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1632
-