Analysis
-
max time kernel
117s -
max time network
148s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
14-07-2020 14:17
Static task
static1
Behavioral task
behavioral1
Sample
buk.exe
Resource
win7
Behavioral task
behavioral2
Sample
buk.exe
Resource
win10v200430
General
-
Target
buk.exe
-
Size
279KB
-
MD5
0adfa647a523f3ffd47fca65b3830012
-
SHA1
ef3dc8671e76d34168b0ccdf8e9e6b4004cf9f8f
-
SHA256
4c5973bceb6055158baa38a15a42ee7d983d95d2bf81b89802e2947705feabae
-
SHA512
d39e3dd4bd35b044d2833e914aae43e1af9b76e85095c054bbd8ab229acc606ee2d4646b3875eee04f97244ef076056bc190f1dff9761c578eca78952aee3ac3
Malware Config
Extracted
Protocol: smtp- Host:
smtp.topbas-tr.com - Port:
587 - Username:
buking@topbas-tr.com - Password:
QdWRFxG1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
buk.exedescription pid process Token: SeDebugPrivilege 1880 buk.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
buk.exepid process 1880 buk.exe 1880 buk.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.