Analysis
-
max time kernel
96s -
max time network
112s -
platform
windows10_x64 -
resource
win10 -
submitted
17-07-2020 17:22
Static task
static1
Behavioral task
behavioral1
Sample
Facturas pagadas al Ve....bat.exe
Resource
win7v200430
Behavioral task
behavioral2
Sample
Facturas pagadas al Ve....bat.exe
Resource
win10
General
-
Target
Facturas pagadas al Ve....bat.exe
-
Size
867KB
-
MD5
f467da4ad4e1b0a1a30ee9aefa881fc0
-
SHA1
bb3815a9301b15ecd427489ad27d62b09db5b82a
-
SHA256
80e81d5862eeb8f64349e953e74d0ceef0d5a691dfdbf5d9301b9e6d7cc84635
-
SHA512
53d23ff6829e455a6a15e974095a6588be37bddfd8f8adc8a6cfb0e4bf9d72f6ed2be57249eb0f3e0d54370fd19d61b045d532471b6ec198954cf309dfab1c6a
Malware Config
Extracted
Protocol: smtp- Host:
mail.magicpharma.pt - Port:
587 - Username:
[email protected] - Password:
Mc@1234
Extracted
agenttesla
Protocol: smtp- Host:
mail.magicpharma.pt - Port:
587 - Username:
[email protected] - Password:
Mc@1234
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1736-3-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral2/memory/1736-4-0x000000000044739E-mapping.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Facturas pagadas al Ve....bat.exedescription pid process target process PID 3892 set thread context of 1736 3892 Facturas pagadas al Ve....bat.exe Facturas pagadas al Ve....bat.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
Facturas pagadas al Ve....bat.exepid process 1736 Facturas pagadas al Ve....bat.exe 1736 Facturas pagadas al Ve....bat.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Facturas pagadas al Ve....bat.exedescription pid process Token: SeDebugPrivilege 1736 Facturas pagadas al Ve....bat.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Facturas pagadas al Ve....bat.exedescription pid process target process PID 3892 wrote to memory of 1736 3892 Facturas pagadas al Ve....bat.exe Facturas pagadas al Ve....bat.exe PID 3892 wrote to memory of 1736 3892 Facturas pagadas al Ve....bat.exe Facturas pagadas al Ve....bat.exe PID 3892 wrote to memory of 1736 3892 Facturas pagadas al Ve....bat.exe Facturas pagadas al Ve....bat.exe PID 3892 wrote to memory of 1736 3892 Facturas pagadas al Ve....bat.exe Facturas pagadas al Ve....bat.exe PID 3892 wrote to memory of 1736 3892 Facturas pagadas al Ve....bat.exe Facturas pagadas al Ve....bat.exe PID 3892 wrote to memory of 1736 3892 Facturas pagadas al Ve....bat.exe Facturas pagadas al Ve....bat.exe PID 3892 wrote to memory of 1736 3892 Facturas pagadas al Ve....bat.exe Facturas pagadas al Ve....bat.exe PID 3892 wrote to memory of 1736 3892 Facturas pagadas al Ve....bat.exe Facturas pagadas al Ve....bat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Facturas pagadas al Ve....bat.exe"C:\Users\Admin\AppData\Local\Temp\Facturas pagadas al Ve....bat.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3892 -
C:\Users\Admin\AppData\Local\Temp\Facturas pagadas al Ve....bat.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1736
-
C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exeC:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe1⤵PID:3856
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
7e575b2dc3e01db6b834fd9fda69805d
SHA1d1c6717027d6533440f079714f1cc9ad7c16e0a4
SHA25642582eab0711e00c46ada28110f83b8d17201128ea7d0c1b3058d93fb423ef84
SHA512c9204900249128ed0319c43ea89559a3e092fe195258bfeea73e67888df8cca69b7cc10562bfa83bc09c1f6ec0fbd389e7ba7016e3728b8964c3563d86bd4592