Analysis

  • max time kernel
    114s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    31-07-2020 17:15

General

  • Target

    NEW RFQ.exe

  • Size

    726KB

  • MD5

    2b3645fa1dba023aa4f7a32b84242839

  • SHA1

    ff913e68785f4aab041c85fce1e039087fc09757

  • SHA256

    a7879f81b9af693705fbbda07a1a2a5ebfdcccc7b1184f70fd6d3285da9f2f2d

  • SHA512

    e10b5b68580b62d072369edcde86a0253c2c9a0d8604dbee2d482735aeab302e76d6e38864c2919b9538bacebba5fe8f9596a5356d49e5f243e5b9ee6a9789d9

Malware Config

Extracted

Family

agenttesla

Credentials

  • Protocol:
    smtp
  • Host:
    mail.flsrnidth.com
  • Port:
    587
  • Username:
    subbarayan.sathiyaraj@flsrnidth.com
  • Password:
    x{Op,7(4O+yl

Signatures

  • AgentTesla

    Agent Tesla is a remote access tool (RAT) written in visual basic.

  • AgentTesla Payload 4 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEW RFQ.exe
    "C:\Users\Admin\AppData\Local\Temp\NEW RFQ.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1612
    • C:\Users\Admin\AppData\Local\Temp\NEW RFQ.exe
      "{path}"
      2⤵
        PID:1768
      • C:\Users\Admin\AppData\Local\Temp\NEW RFQ.exe
        "{path}"
        2⤵
          PID:1824
        • C:\Users\Admin\AppData\Local\Temp\NEW RFQ.exe
          "{path}"
          2⤵
          • Adds Run key to start application
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          PID:1788

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials in Files

      3
      T1081

      Collection

      Data from Local System

      3
      T1005

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1612-1-0x0000000000000000-0x0000000000000000-disk.dmp
      • memory/1788-5-0x0000000000400000-0x000000000044C000-memory.dmp
        Filesize

        304KB

      • memory/1788-6-0x000000000044729E-mapping.dmp
      • memory/1788-7-0x0000000000400000-0x000000000044C000-memory.dmp
        Filesize

        304KB

      • memory/1788-8-0x0000000000400000-0x000000000044C000-memory.dmp
        Filesize

        304KB