Analysis
-
max time kernel
147s -
max time network
28s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
16-07-2020 06:27
Static task
static1
Behavioral task
behavioral1
Sample
Scan Photos of products and artwork.img.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Scan Photos of products and artwork.img.exe
Resource
win10
General
-
Target
Scan Photos of products and artwork.img.exe
-
Size
552KB
-
MD5
468b7ce77fc3beed814fae4520edf901
-
SHA1
97675936f4cf69a0f0d5af641fcdc59319d47f19
-
SHA256
5304693d6029d4d724fbf463b0850f718f978c96f2851769c6e5d83c6995c41f
-
SHA512
188811256f22f3f2253abcbfc0e95f5a3320af581828887567e19b1716531e4ac5cacd401d763cdaa13fa91c56ce193829b6665b35a212be90aab6f979696c68
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
bh-58.webhostbox.net - Port:
587 - Username:
[email protected] - Password:
7213575aceACE@#$
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1224-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1224-3-0x0000000000446A9E-mapping.dmp family_agenttesla behavioral1/memory/1224-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1224-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Scan Photos of products and artwork.img.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-910373003-3952921535-3480519689-1000\Software\Microsoft\Windows\CurrentVersion\Run\donstan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\donstan\\donstan.exe" Scan Photos of products and artwork.img.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scan Photos of products and artwork.img.exedescription pid process target process PID 904 set thread context of 1224 904 Scan Photos of products and artwork.img.exe Scan Photos of products and artwork.img.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Scan Photos of products and artwork.img.exepid process 1224 Scan Photos of products and artwork.img.exe 1224 Scan Photos of products and artwork.img.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Scan Photos of products and artwork.img.exedescription pid process Token: SeDebugPrivilege 1224 Scan Photos of products and artwork.img.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Scan Photos of products and artwork.img.exepid process 1224 Scan Photos of products and artwork.img.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Scan Photos of products and artwork.img.exedescription pid process target process PID 904 wrote to memory of 1224 904 Scan Photos of products and artwork.img.exe Scan Photos of products and artwork.img.exe PID 904 wrote to memory of 1224 904 Scan Photos of products and artwork.img.exe Scan Photos of products and artwork.img.exe PID 904 wrote to memory of 1224 904 Scan Photos of products and artwork.img.exe Scan Photos of products and artwork.img.exe PID 904 wrote to memory of 1224 904 Scan Photos of products and artwork.img.exe Scan Photos of products and artwork.img.exe PID 904 wrote to memory of 1224 904 Scan Photos of products and artwork.img.exe Scan Photos of products and artwork.img.exe PID 904 wrote to memory of 1224 904 Scan Photos of products and artwork.img.exe Scan Photos of products and artwork.img.exe PID 904 wrote to memory of 1224 904 Scan Photos of products and artwork.img.exe Scan Photos of products and artwork.img.exe PID 904 wrote to memory of 1224 904 Scan Photos of products and artwork.img.exe Scan Photos of products and artwork.img.exe PID 904 wrote to memory of 1224 904 Scan Photos of products and artwork.img.exe Scan Photos of products and artwork.img.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scan Photos of products and artwork.img.exe"C:\Users\Admin\AppData\Local\Temp\Scan Photos of products and artwork.img.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scan Photos of products and artwork.img.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/904-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1224-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1224-3-0x0000000000446A9E-mapping.dmp
-
memory/1224-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1224-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB