Analysis
-
max time kernel
111s -
max time network
117s -
platform
windows7_x64 -
resource
win7 -
submitted
16-07-2020 13:46
Static task
static1
Behavioral task
behavioral1
Sample
Inquiry162020.exe
Resource
win7
Behavioral task
behavioral2
Sample
Inquiry162020.exe
Resource
win10v200430
General
-
Target
Inquiry162020.exe
-
Size
561KB
-
MD5
545f0d6c85e724cdf181bbb695d6adb1
-
SHA1
d2593a8ab114593c16b77914acddd9d917fb58a1
-
SHA256
b6e27dd859c2b932284d6a65629a1df3f262ba01b11c56281935dcf6beecdf8f
-
SHA512
2b896a6b3f09148a5b912d5a4e2cf0014ddd52abc3ba38f67ca79bfc53f440802b45542cc9b4cabedd5c8e0cea9f413c0a368f98fc04adf4ad7af456cb6dceee
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
us2.smtp.mailhostbox.com - Port:
587 - Username:
[email protected] - Password:
anyanwu3116
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
resource yara_rule behavioral1/memory/240-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/240-3-0x0000000000446EFE-mapping.dmp family_agenttesla behavioral1/memory/240-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/240-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\YYtJku = "C:\\Users\\Admin\\AppData\\Roaming\\YYtJku\\YYtJku.exe" Inquiry162020.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 900 set thread context of 240 900 Inquiry162020.exe 24 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 240 Inquiry162020.exe 240 Inquiry162020.exe -
Suspicious behavior: RenamesItself 1 IoCs
pid Process 240 Inquiry162020.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 240 Inquiry162020.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 900 wrote to memory of 240 900 Inquiry162020.exe 24 PID 900 wrote to memory of 240 900 Inquiry162020.exe 24 PID 900 wrote to memory of 240 900 Inquiry162020.exe 24 PID 900 wrote to memory of 240 900 Inquiry162020.exe 24 PID 900 wrote to memory of 240 900 Inquiry162020.exe 24 PID 900 wrote to memory of 240 900 Inquiry162020.exe 24 PID 900 wrote to memory of 240 900 Inquiry162020.exe 24 PID 900 wrote to memory of 240 900 Inquiry162020.exe 24 PID 900 wrote to memory of 240 900 Inquiry162020.exe 24
Processes
-
C:\Users\Admin\AppData\Local\Temp\Inquiry162020.exe"C:\Users\Admin\AppData\Local\Temp\Inquiry162020.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:900 -
C:\Users\Admin\AppData\Local\Temp\Inquiry162020.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
PID:240
-