Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows7_x64 -
resource
win7 -
submitted
13-07-2020 05:59
General
-
Target
Shipping Documents.exe
-
Size
652KB
-
MD5
9ad127f4f4d28ea19395cb16c194f23d
-
SHA1
21ce15a2f1ee49d7420ea368e51cf92b61028a4c
-
SHA256
9c1f76b540f055b2b6131cde2f6896e73f3e0170070c0551d90d20364156d32c
-
SHA512
b3e6f896c4d0747e0d575b1abc63eb96eb0cd791bce21275c44b58731494fa143f1ba03ea6185ee1d3c25366c32e8b26bdefdd4624f0f9780e3e8fcc64665d13
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
[email protected] - Password:
ikechukwu112
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
-
Executes dropped EXE 4 IoCs
-
Patched UPX-packed file 7 IoCs
Sample is packed with UPX but required header fields are zeroed out to prevent unpacking with the default UPX tool.
-
Loads dropped DLL 8 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 34 IoCs
-
Suspicious use of SendNotifyMessage 32 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"1⤵
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=83.0.4103.106 --initial-client-data=0xa4,0xa8,0xac,0x78,0xb0,0x7fefb3ebd28,0x7fefb3ebd38,0x7fefb3ebd482⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1080 /prefetch:22⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1252 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1696 /prefetch:12⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --instant-process --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:12⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1320 /prefetch:22⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2548 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2632 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2720 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2736 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3112 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3240 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3200 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3268 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --disable-gpu-compositing --lang=en-US --extension-process --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=2924 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3000 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2836 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2740 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=2772 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --disable-gpu-compositing --lang=en-US --extension-process --enable-auto-reload --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2540 /prefetch:12⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=1464 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=1684 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=540 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=604 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=1492 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=3052 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=1796 /prefetch:82⤵
-
-
C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --type=utility --field-trial-handle=944,14059893151287167418,4447884844371826383,131072 --lang=en-US --service-sandbox-type=utility --enable-audio-service-sandbox --mojo-platform-channel-handle=1784 /prefetch:82⤵
-
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\83.238.200\software_reporter_tool.exe"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\83.238.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=U6TA3lEPuCM7m2R+nqS0fmBQ1DHjLSXIPrmTqA+e --registry-suffix=ESET --srt-field-trial-group-name=NewCleanerUIExperiment2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\83.238.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\83.238.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=83.238.200 --initial-client-data=0x160,0x164,0x168,0x134,0x16c,0x13f509928,0x13f509938,0x13f5099483⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\83.238.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\83.238.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2072_KMLGOUGIADJNOVFC" --sandboxed-process-id=2 --init-done-notifier=484 --sandbox-mojo-pipe-token=2723197499843145390 --mojo-platform-channel-handle=456 --engine=23⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\83.238.200\software_reporter_tool.exe"c:\users\admin\appdata\local\google\chrome\user data\swreporter\83.238.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_2072_KMLGOUGIADJNOVFC" --sandboxed-process-id=3 --init-done-notifier=644 --sandbox-mojo-pipe-token=1792513728913948937 --mojo-platform-channel-handle=6403⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
140KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
140KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
68KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
68KB
-
Filesize
4KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
68KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
304KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
68KB
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B
-
Filesize
176B