Analysis
-
max time kernel
104s -
max time network
34s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
16-07-2020 19:04
Static task
static1
Behavioral task
behavioral1
Sample
fty.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
fty.exe
Resource
win10v200430
General
-
Target
fty.exe
-
Size
564KB
-
MD5
70e0f7eacd578fef1b19738934c8cc1e
-
SHA1
2c2734a866cac52b7e63c2cc5a982ae9dfb7435e
-
SHA256
37e2ca0ea6838887745d5f452aea15de2a0ea556a9095a87962c103489942e08
-
SHA512
2abd6d51a4aa132b2b64a9c4bf06134aacf489b1d82c458bfc5e12e04ff67eef511ffca0995c685209397c710120f99731de78aa7c6eb9530cfe5856f0ce226f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.blackpearl-tours.com - Port:
587 - Username:
[email protected] - Password:
black@123instanbul
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/524-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/524-5-0x000000000044756E-mapping.dmp family_agenttesla behavioral1/memory/524-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/524-7-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Looks for VirtualBox Guest Additions in registry 2 TTPs
-
Looks for VMWare Tools registry key 2 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion fty.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion fty.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum fty.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 fty.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 272 set thread context of 524 272 fty.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1836 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 272 fty.exe 272 fty.exe 524 fty.exe 524 fty.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 272 fty.exe Token: SeDebugPrivilege 524 fty.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 524 fty.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 272 wrote to memory of 1836 272 fty.exe 27 PID 272 wrote to memory of 1836 272 fty.exe 27 PID 272 wrote to memory of 1836 272 fty.exe 27 PID 272 wrote to memory of 1836 272 fty.exe 27 PID 272 wrote to memory of 748 272 fty.exe 29 PID 272 wrote to memory of 748 272 fty.exe 29 PID 272 wrote to memory of 748 272 fty.exe 29 PID 272 wrote to memory of 748 272 fty.exe 29 PID 272 wrote to memory of 524 272 fty.exe 30 PID 272 wrote to memory of 524 272 fty.exe 30 PID 272 wrote to memory of 524 272 fty.exe 30 PID 272 wrote to memory of 524 272 fty.exe 30 PID 272 wrote to memory of 524 272 fty.exe 30 PID 272 wrote to memory of 524 272 fty.exe 30 PID 272 wrote to memory of 524 272 fty.exe 30 PID 272 wrote to memory of 524 272 fty.exe 30 PID 272 wrote to memory of 524 272 fty.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\fty.exe"C:\Users\Admin\AppData\Local\Temp\fty.exe"1⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:272 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WUlTxpFkoUWjT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3B1C.tmp"2⤵
- Creates scheduled task(s)
PID:1836
-
-
C:\Users\Admin\AppData\Local\Temp\fty.exe"{path}"2⤵PID:748
-
-
C:\Users\Admin\AppData\Local\Temp\fty.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:524
-