Analysis

  • max time kernel
    104s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    16-07-2020 19:04

General

  • Target

    fty.exe

  • Size

    564KB

  • MD5

    70e0f7eacd578fef1b19738934c8cc1e

  • SHA1

    2c2734a866cac52b7e63c2cc5a982ae9dfb7435e

  • SHA256

    37e2ca0ea6838887745d5f452aea15de2a0ea556a9095a87962c103489942e08

  • SHA512

    2abd6d51a4aa132b2b64a9c4bf06134aacf489b1d82c458bfc5e12e04ff67eef511ffca0995c685209397c710120f99731de78aa7c6eb9530cfe5856f0ce226f

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.blackpearl-tours.com
  • Port:
    587
  • Username:
    [email protected]
  • Password:
    black@123instanbul

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 4 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
  • Looks for VMWare Tools registry key 2 TTPs
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fty.exe
    "C:\Users\Admin\AppData\Local\Temp\fty.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:272
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WUlTxpFkoUWjT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B1C.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1836
    • C:\Users\Admin\AppData\Local\Temp\fty.exe
      "{path}"
      2⤵
        PID:748
      • C:\Users\Admin\AppData\Local\Temp\fty.exe
        "{path}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:524

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/524-4-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/524-6-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB

    • memory/524-7-0x0000000000400000-0x000000000044C000-memory.dmp

      Filesize

      304KB