Analysis
-
max time kernel
145s -
max time network
37s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
10-07-2020 07:35
Static task
static1
Behavioral task
behavioral1
Sample
gunzipped.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
gunzipped.exe
Resource
win10
General
-
Target
gunzipped.exe
-
Size
546KB
-
MD5
da020d0c54734d21d96efd3b05cafc0b
-
SHA1
1ef4a1601984ed3eeffcaa15ecaec7ded28f7ebd
-
SHA256
0a8a4c3e09dd9ea5652a1388c395ed0707e6e2c370fa0fa288f71da425022464
-
SHA512
233816b405f65db45ef67ddac66e16746d341ebd53c6ab289f5ef19ded128eb82631cf2f6a9593771a71bdf564a2c667b4088cba43524c480ce6ba6ad2c352b9
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.elittacop.com - Port:
587 - Username:
[email protected] - Password:
@eaSYuc8
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1768-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1768-3-0x0000000000446FCE-mapping.dmp family_agenttesla behavioral1/memory/1768-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1768-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
gunzipped.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gunzipped.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gunzipped.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
gunzipped.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum gunzipped.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 gunzipped.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gunzipped.exedescription pid process target process PID 676 set thread context of 1768 676 gunzipped.exe gunzipped.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
gunzipped.exepid process 1768 gunzipped.exe 1768 gunzipped.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
gunzipped.exedescription pid process Token: SeDebugPrivilege 1768 gunzipped.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
gunzipped.exedescription pid process target process PID 676 wrote to memory of 1768 676 gunzipped.exe gunzipped.exe PID 676 wrote to memory of 1768 676 gunzipped.exe gunzipped.exe PID 676 wrote to memory of 1768 676 gunzipped.exe gunzipped.exe PID 676 wrote to memory of 1768 676 gunzipped.exe gunzipped.exe PID 676 wrote to memory of 1768 676 gunzipped.exe gunzipped.exe PID 676 wrote to memory of 1768 676 gunzipped.exe gunzipped.exe PID 676 wrote to memory of 1768 676 gunzipped.exe gunzipped.exe PID 676 wrote to memory of 1768 676 gunzipped.exe gunzipped.exe PID 676 wrote to memory of 1768 676 gunzipped.exe gunzipped.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:676 -
C:\Users\Admin\AppData\Local\Temp\gunzipped.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1768