Analysis
-
max time kernel
144s -
max time network
146s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
14-07-2020 01:17
Static task
static1
Behavioral task
behavioral1
Sample
packing list .pdf.exe
Resource
win7
General
-
Target
packing list .pdf.exe
-
Size
739KB
-
MD5
38128c21bb7c951f6916f29d641a3ffc
-
SHA1
ee05de47457938350639af461c138c801b54f5b3
-
SHA256
0d0aaa114bac9aa0afb33e6c70959524af7afa277e7700967763c604d4d188c2
-
SHA512
66ed56f43932bd1791e245e9671acfc8782f8999c98fe6d3e9ad44ca2b52daea977b42eb196b6f1c3644f8722671d6ee0b0f4b334f86b431e5ef3a23bb066ff7
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
kingmoney12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2068-3-0x0000000000400000-0x00000000004A4000-memory.dmp family_agenttesla behavioral2/memory/2068-4-0x00000000009D0000-0x0000000000A1C000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/2068-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/2068-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/2068-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
packing list .pdf.exedescription pid process target process PID 2016 set thread context of 2068 2016 packing list .pdf.exe packing list .pdf.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
packing list .pdf.exepacking list .pdf.exepid process 2016 packing list .pdf.exe 2016 packing list .pdf.exe 2068 packing list .pdf.exe 2068 packing list .pdf.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
packing list .pdf.exepid process 2016 packing list .pdf.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
packing list .pdf.exedescription pid process Token: SeDebugPrivilege 2068 packing list .pdf.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
packing list .pdf.exedescription pid process target process PID 2016 wrote to memory of 2068 2016 packing list .pdf.exe packing list .pdf.exe PID 2016 wrote to memory of 2068 2016 packing list .pdf.exe packing list .pdf.exe PID 2016 wrote to memory of 2068 2016 packing list .pdf.exe packing list .pdf.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\packing list .pdf.exe"C:\Users\Admin\AppData\Local\Temp\packing list .pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\packing list .pdf.exe"C:\Users\Admin\AppData\Local\Temp\packing list .pdf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2068