Analysis
-
max time kernel
84s -
max time network
69s -
platform
windows7_x64 -
resource
win7 -
submitted
14-07-2020 13:25
General
-
Target
Invoice copy.pdf.exe
-
Size
699KB
-
MD5
87de5db071f313cc111754e5853ddb2d
-
SHA1
6f4db55d134f2d08b719b14a3d9a3c328c1ae405
-
SHA256
21327be564dca2dd0136871d257a99b68daf3a09af75a0fb947f65708f1df2b0
-
SHA512
0e0c91a9222d229f6c0fd4c26931cb645bfd80da3e8acdc2997bbda94dda4ab8521e50d780f552ab0d4e0ea0e2ab0c54736c4e26214e0b30864b0aa7de3affd8
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.ru - Port:
587 - Username:
[email protected] - Password:
kingmoney12345
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
-
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Invoice copy.pdf.exe"C:\Users\Admin\AppData\Local\Temp\Invoice copy.pdf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Invoice copy.pdf.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
-
Filesize
304KB
-
-
Filesize
304KB
-
Filesize
304KB