Analysis
-
max time kernel
143s -
max time network
24s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
13-07-2020 06:34
Static task
static1
Behavioral task
behavioral1
Sample
Payment doc747322.exe
Resource
win7v200430
General
-
Target
Payment doc747322.exe
-
Size
491KB
-
MD5
88087279864b6d4db153f6dd9c68f065
-
SHA1
7e8a69d8aecc43d9449af37efb5fcdaee1cf4166
-
SHA256
112fe86589f5587620a62be8ebeab2ee9898f770762f7be2b92a229c46d52917
-
SHA512
7c9003242e32bbca7890e0393c370686e3a4011e98e6b3c77859d73d6b97ab89752c1da3c2909bee3ee72333117721f63ecdb856317ebde71cb8ed854c786dfd
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.privateemail.com - Port:
587 - Username:
[email protected] - Password:
killdemall007
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1748-0-0x0000000000400000-0x000000000046E000-memory.dmp family_agenttesla behavioral1/memory/1748-1-0x000000000046861E-mapping.dmp family_agenttesla behavioral1/memory/1748-2-0x0000000000400000-0x000000000046E000-memory.dmp family_agenttesla behavioral1/memory/1748-3-0x0000000000400000-0x000000000046E000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Payment doc747322.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Payment doc747322.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Payment doc747322.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
Payment doc747322.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum Payment doc747322.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 Payment doc747322.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Payment doc747322.exedescription pid process target process PID 240 set thread context of 1748 240 Payment doc747322.exe Payment doc747322.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Payment doc747322.exepid process 1748 Payment doc747322.exe 1748 Payment doc747322.exe -
Suspicious behavior: RenamesItself 1 IoCs
Processes:
Payment doc747322.exepid process 1748 Payment doc747322.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Payment doc747322.exedescription pid process Token: SeDebugPrivilege 1748 Payment doc747322.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
Payment doc747322.exePayment doc747322.exedescription pid process target process PID 240 wrote to memory of 1748 240 Payment doc747322.exe Payment doc747322.exe PID 240 wrote to memory of 1748 240 Payment doc747322.exe Payment doc747322.exe PID 240 wrote to memory of 1748 240 Payment doc747322.exe Payment doc747322.exe PID 240 wrote to memory of 1748 240 Payment doc747322.exe Payment doc747322.exe PID 240 wrote to memory of 1748 240 Payment doc747322.exe Payment doc747322.exe PID 240 wrote to memory of 1748 240 Payment doc747322.exe Payment doc747322.exe PID 240 wrote to memory of 1748 240 Payment doc747322.exe Payment doc747322.exe PID 240 wrote to memory of 1748 240 Payment doc747322.exe Payment doc747322.exe PID 240 wrote to memory of 1748 240 Payment doc747322.exe Payment doc747322.exe PID 1748 wrote to memory of 1168 1748 Payment doc747322.exe dw20.exe PID 1748 wrote to memory of 1168 1748 Payment doc747322.exe dw20.exe PID 1748 wrote to memory of 1168 1748 Payment doc747322.exe dw20.exe PID 1748 wrote to memory of 1168 1748 Payment doc747322.exe dw20.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Payment doc747322.exe"C:\Users\Admin\AppData\Local\Temp\Payment doc747322.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:240 -
C:\Users\Admin\AppData\Local\Temp\Payment doc747322.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 10043⤵PID:1168