Analysis
-
max time kernel
114s -
max time network
120s -
platform
windows7_x64 -
resource
win7 -
submitted
14-07-2020 01:17
Static task
static1
Behavioral task
behavioral1
Sample
packing list .pdf.exe
Resource
win7
General
-
Target
packing list .pdf.exe
-
Size
739KB
-
MD5
38128c21bb7c951f6916f29d641a3ffc
-
SHA1
ee05de47457938350639af461c138c801b54f5b3
-
SHA256
0d0aaa114bac9aa0afb33e6c70959524af7afa277e7700967763c604d4d188c2
-
SHA512
66ed56f43932bd1791e245e9671acfc8782f8999c98fe6d3e9ad44ca2b52daea977b42eb196b6f1c3644f8722671d6ee0b0f4b334f86b431e5ef3a23bb066ff7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
kingmoney12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/1344-3-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral1/memory/1344-4-0x0000000000520000-0x000000000056C000-memory.dmp family_agenttesla behavioral1/memory/1344-6-0x00000000001B0000-0x00000000001F6000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral1/memory/1344-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1344-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral1/memory/1344-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
packing list .pdf.exedescription pid process target process PID 608 set thread context of 1344 608 packing list .pdf.exe packing list .pdf.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
packing list .pdf.exepacking list .pdf.exepid process 608 packing list .pdf.exe 1344 packing list .pdf.exe 1344 packing list .pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
packing list .pdf.exepid process 608 packing list .pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
packing list .pdf.exedescription pid process Token: SeDebugPrivilege 1344 packing list .pdf.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
packing list .pdf.exedescription pid process target process PID 608 wrote to memory of 1344 608 packing list .pdf.exe packing list .pdf.exe PID 608 wrote to memory of 1344 608 packing list .pdf.exe packing list .pdf.exe PID 608 wrote to memory of 1344 608 packing list .pdf.exe packing list .pdf.exe PID 608 wrote to memory of 1344 608 packing list .pdf.exe packing list .pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\packing list .pdf.exe"C:\Users\Admin\AppData\Local\Temp\packing list .pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:608 -
C:\Users\Admin\AppData\Local\Temp\packing list .pdf.exe"C:\Users\Admin\AppData\Local\Temp\packing list .pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1344