Analysis
-
max time kernel
130s -
max time network
65s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
10-07-2020 13:29
Static task
static1
Behavioral task
behavioral1
Sample
kedycript.exe
Resource
win7
Behavioral task
behavioral2
Sample
kedycript.exe
Resource
win10v200430
General
-
Target
kedycript.exe
-
Size
469KB
-
MD5
ecabfeb30cbae721107fe69c169ef36e
-
SHA1
0ea9d68b068d617c1f576714c5f7a8012a1a2567
-
SHA256
df8fe4098c22cd64afb8369348581a0ed7c924ea9ad659741e2899a32ab2e842
-
SHA512
6c6b9ac0ab695b4acaf22d3885d25289006dcf86069b9d6c1f312fcdce82af8227308e425decb52793708d16f78ebe8cedc20bfb6369a712d39bc9254e29e9c0
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.wolterfan.com - Port:
587 - Username:
[email protected] - Password:
@Mar123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2480-4-0x0000000000400000-0x00000000004B0000-memory.dmp family_agenttesla behavioral2/memory/2480-5-0x0000000002200000-0x0000000002252000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/2480-0-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral2/memory/2480-3-0x0000000000400000-0x00000000004B0000-memory.dmp upx behavioral2/memory/2480-4-0x0000000000400000-0x00000000004B0000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
kedycript.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\CFMBUF = "C:\\Users\\Admin\\AppData\\Roaming\\CFMBUF\\CFMBUF.exe" kedycript.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
kedycript.exedescription pid process target process PID 1600 set thread context of 2480 1600 kedycript.exe kedycript.exe -
Suspicious behavior: EnumeratesProcesses 42 IoCs
Processes:
kedycript.exekedycript.exekedycript.exepid process 1600 kedycript.exe 1600 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2556 kedycript.exe 2480 kedycript.exe 2480 kedycript.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
kedycript.exepid process 1600 kedycript.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
kedycript.exedescription pid process Token: SeDebugPrivilege 2480 kedycript.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
kedycript.exekedycript.exedescription pid process target process PID 1600 wrote to memory of 2480 1600 kedycript.exe kedycript.exe PID 1600 wrote to memory of 2480 1600 kedycript.exe kedycript.exe PID 1600 wrote to memory of 2480 1600 kedycript.exe kedycript.exe PID 1600 wrote to memory of 2556 1600 kedycript.exe kedycript.exe PID 1600 wrote to memory of 2556 1600 kedycript.exe kedycript.exe PID 1600 wrote to memory of 2556 1600 kedycript.exe kedycript.exe PID 2480 wrote to memory of 4052 2480 kedycript.exe netsh.exe PID 2480 wrote to memory of 4052 2480 kedycript.exe netsh.exe PID 2480 wrote to memory of 4052 2480 kedycript.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\kedycript.exe"C:\Users\Admin\AppData\Local\Temp\kedycript.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Users\Admin\AppData\Local\Temp\kedycript.exe"C:\Users\Admin\AppData\Local\Temp\kedycript.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2480 -
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵PID:4052
-
C:\Users\Admin\AppData\Local\Temp\kedycript.exe"C:\Users\Admin\AppData\Local\Temp\kedycript.exe" 2 2480 1392812⤵
- Suspicious behavior: EnumeratesProcesses
PID:2556