Analysis
-
max time kernel
136s -
max time network
31s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 11:28
Static task
static1
Behavioral task
behavioral1
Sample
ab953158dc7becaab002a73e470a407c.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
ab953158dc7becaab002a73e470a407c.exe
Resource
win10
General
-
Target
ab953158dc7becaab002a73e470a407c.exe
-
Size
330KB
-
MD5
ab953158dc7becaab002a73e470a407c
-
SHA1
14472408f8cd901022c2ecb57e9efcd9f654b482
-
SHA256
0dde348228b5ad99d94e434be378b31e114ec0dbb9a008db1218d3a349ceea8b
-
SHA512
4d4295d080542f77cf5b138e04ec39acc5876af82461cc0618be8a5dd3be1a01db9c3d67708c0030ed3d44b6e9507d4a8f6316f98397ee5015a5edfcb75d0a87
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mangero.xyz - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1360-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1360-1-0x00000000004475BE-mapping.dmp family_agenttesla behavioral1/memory/1360-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1360-3-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\prince = "C:\\Users\\Admin\\AppData\\Local\\Temp\\prince\\prince.exe" ab953158dc7becaab002a73e470a407c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exedescription pid Process procid_target PID 1312 set thread context of 1360 1312 ab953158dc7becaab002a73e470a407c.exe 26 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exepid Process 1360 ab953158dc7becaab002a73e470a407c.exe 1360 ab953158dc7becaab002a73e470a407c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exedescription pid Process Token: SeDebugPrivilege 1360 ab953158dc7becaab002a73e470a407c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exepid Process 1360 ab953158dc7becaab002a73e470a407c.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exedescription pid Process procid_target PID 1312 wrote to memory of 1360 1312 ab953158dc7becaab002a73e470a407c.exe 26 PID 1312 wrote to memory of 1360 1312 ab953158dc7becaab002a73e470a407c.exe 26 PID 1312 wrote to memory of 1360 1312 ab953158dc7becaab002a73e470a407c.exe 26 PID 1312 wrote to memory of 1360 1312 ab953158dc7becaab002a73e470a407c.exe 26 PID 1312 wrote to memory of 1360 1312 ab953158dc7becaab002a73e470a407c.exe 26 PID 1312 wrote to memory of 1360 1312 ab953158dc7becaab002a73e470a407c.exe 26 PID 1312 wrote to memory of 1360 1312 ab953158dc7becaab002a73e470a407c.exe 26 PID 1312 wrote to memory of 1360 1312 ab953158dc7becaab002a73e470a407c.exe 26 PID 1312 wrote to memory of 1360 1312 ab953158dc7becaab002a73e470a407c.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab953158dc7becaab002a73e470a407c.exe"C:\Users\Admin\AppData\Local\Temp\ab953158dc7becaab002a73e470a407c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1312 -
C:\Users\Admin\AppData\Local\Temp\ab953158dc7becaab002a73e470a407c.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1360
-