Analysis
-
max time kernel
116s -
max time network
124s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 14:30
Static task
static1
Behavioral task
behavioral1
Sample
Order NFH.exe
Resource
win7
Behavioral task
behavioral2
Sample
Order NFH.exe
Resource
win10v200430
General
-
Target
Order NFH.exe
-
Size
716KB
-
MD5
e1cd9d71092938389c62ff3cb04f3e21
-
SHA1
4efb32358f982807fe65236ffd73417f8d29f6fd
-
SHA256
66bb65619121b9636dd4c02d3573055922b22e0c55ea1ad093d4b2759bf8118e
-
SHA512
37ae4d6ac8a6022517db42550b43c492f778e1613da04221426844de46c0f7be0544cb4bc14fee841d0a6efc60f98454c5a0c15033834eecdfd5e9d47bc1f680
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
webmail.mantenimientosymontajes.com - Port:
587 - Username:
[email protected] - Password:
gnx1470
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1028-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1028-5-0x000000000044742E-mapping.dmp family_agenttesla behavioral1/memory/1028-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1028-8-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Executes dropped EXE 1 IoCs
Processes:
RegAsm.exepid process 1028 RegAsm.exe -
Loads dropped DLL 2 IoCs
Processes:
Order NFH.exeRegAsm.exepid process 1492 Order NFH.exe 1028 RegAsm.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Order NFH.exedescription pid process target process PID 1492 set thread context of 1028 1492 Order NFH.exe RegAsm.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Order NFH.exeRegAsm.exepid process 1492 Order NFH.exe 1492 Order NFH.exe 1492 Order NFH.exe 1028 RegAsm.exe 1028 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Order NFH.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 1492 Order NFH.exe Token: SeDebugPrivilege 1028 RegAsm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Order NFH.exedescription pid process target process PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe PID 1492 wrote to memory of 1028 1492 Order NFH.exe RegAsm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Order NFH.exe"C:\Users\Admin\AppData\Local\Temp\Order NFH.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1028
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab
-
MD5
b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA2566e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab