Analysis
-
max time kernel
90s -
max time network
52s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 06:34
Static task
static1
Behavioral task
behavioral1
Sample
b9ad9d623e05bfa11124ab8b54c74fbd.exe
Resource
win7v200430
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
b9ad9d623e05bfa11124ab8b54c74fbd.exe
Resource
win10
0 signatures
0 seconds
General
-
Target
b9ad9d623e05bfa11124ab8b54c74fbd.exe
-
Size
324KB
-
MD5
b9ad9d623e05bfa11124ab8b54c74fbd
-
SHA1
ed51c11b5170b1860f8935d6af82dde8b4a38f85
-
SHA256
1f6648f6fd581ed57b9566f4eb942687aaa6401baba93ed7c287933c7d3d6ab1
-
SHA512
bb82af31337a939d1af30668876095e205341180ef0bf800fd5d8789a2fe1663f38ffa00be76d017029b6c54c7b1364bf60f58ba8373fc88e001697a3e99bfd0
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.bapipl.com - Port:
587 - Username:
[email protected] - Password:
Bharat123
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1052-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1052-3-0x000000000044778E-mapping.dmp family_agenttesla behavioral1/memory/1052-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1052-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Suspicious use of SetThreadContext 1 IoCs
Processes:
b9ad9d623e05bfa11124ab8b54c74fbd.exedescription pid process target process PID 1388 set thread context of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
b9ad9d623e05bfa11124ab8b54c74fbd.exeRegSvcs.exepid process 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe 1052 RegSvcs.exe 1052 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b9ad9d623e05bfa11124ab8b54c74fbd.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe Token: SeDebugPrivilege 1052 RegSvcs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b9ad9d623e05bfa11124ab8b54c74fbd.exedescription pid process target process PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe PID 1388 wrote to memory of 1052 1388 b9ad9d623e05bfa11124ab8b54c74fbd.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b9ad9d623e05bfa11124ab8b54c74fbd.exe"C:\Users\Admin\AppData\Local\Temp\b9ad9d623e05bfa11124ab8b54c74fbd.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1052-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1052-3-0x000000000044778E-mapping.dmp
-
memory/1052-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1052-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1388-1-0x0000000000000000-0x0000000000000000-disk.dmp