Analysis
-
max time kernel
91s -
max time network
110s -
platform
windows10_x64 -
resource
win10 -
submitted
13-07-2020 11:28
Static task
static1
Behavioral task
behavioral1
Sample
ab953158dc7becaab002a73e470a407c.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
ab953158dc7becaab002a73e470a407c.exe
Resource
win10
General
-
Target
ab953158dc7becaab002a73e470a407c.exe
-
Size
330KB
-
MD5
ab953158dc7becaab002a73e470a407c
-
SHA1
14472408f8cd901022c2ecb57e9efcd9f654b482
-
SHA256
0dde348228b5ad99d94e434be378b31e114ec0dbb9a008db1218d3a349ceea8b
-
SHA512
4d4295d080542f77cf5b138e04ec39acc5876af82461cc0618be8a5dd3be1a01db9c3d67708c0030ed3d44b6e9507d4a8f6316f98397ee5015a5edfcb75d0a87
Malware Config
Extracted
Protocol: smtp- Host:
mangero.xyz - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$
Extracted
agenttesla
Protocol: smtp- Host:
mangero.xyz - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3952-0-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/3952-1-0x00000000004475BE-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\prince = "C:\\Users\\Admin\\AppData\\Local\\Temp\\prince\\prince.exe" ab953158dc7becaab002a73e470a407c.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exedescription pid Process procid_target PID 3588 set thread context of 3952 3588 ab953158dc7becaab002a73e470a407c.exe 68 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exepid Process 3952 ab953158dc7becaab002a73e470a407c.exe 3952 ab953158dc7becaab002a73e470a407c.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exedescription pid Process Token: SeDebugPrivilege 3952 ab953158dc7becaab002a73e470a407c.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exepid Process 3952 ab953158dc7becaab002a73e470a407c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
ab953158dc7becaab002a73e470a407c.exedescription pid Process procid_target PID 3588 wrote to memory of 3952 3588 ab953158dc7becaab002a73e470a407c.exe 68 PID 3588 wrote to memory of 3952 3588 ab953158dc7becaab002a73e470a407c.exe 68 PID 3588 wrote to memory of 3952 3588 ab953158dc7becaab002a73e470a407c.exe 68 PID 3588 wrote to memory of 3952 3588 ab953158dc7becaab002a73e470a407c.exe 68 PID 3588 wrote to memory of 3952 3588 ab953158dc7becaab002a73e470a407c.exe 68 PID 3588 wrote to memory of 3952 3588 ab953158dc7becaab002a73e470a407c.exe 68 PID 3588 wrote to memory of 3952 3588 ab953158dc7becaab002a73e470a407c.exe 68 PID 3588 wrote to memory of 3952 3588 ab953158dc7becaab002a73e470a407c.exe 68
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab953158dc7becaab002a73e470a407c.exe"C:\Users\Admin\AppData\Local\Temp\ab953158dc7becaab002a73e470a407c.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Local\Temp\ab953158dc7becaab002a73e470a407c.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3952
-
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵PID:3800
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\ab953158dc7becaab002a73e470a407c.exe.log
MD5c33b4293a0023b388d1a816aba4901f1
SHA1a793fe7d4694457873aa26a454a5d4b0207d7d54
SHA2565b4a63ea1ce7cc18eb1be775ffb52b342bb678f265c88d4518d8e1fe44a55234
SHA512d04308b55218a71bd09562de76a8030e6327fb0143695e01cb25fb5ad6a9b3715425e4782dc5d27b0aaaf0d71048f0886099df6ce87e29e796abe3727fd1ba53