Analysis
-
max time kernel
140s -
max time network
142s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 12:12
Static task
static1
Behavioral task
behavioral1
Sample
Image001.exe
Resource
win7
General
-
Target
Image001.exe
-
Size
765KB
-
MD5
cbb4755899817e5408789fc7c3ae5979
-
SHA1
e061fb307227f68bf9241a55ade9fa1976be5782
-
SHA256
9f0c636096918ffd81f45e54f65d8992726cbfbef9a8d087476ab5360590d35d
-
SHA512
2712bc7ff4eb3204d04fbfc033d3a2c1503662a1b73415ab1fefddbf3719337cbbd4d7857ff311a3db0e53ebfb2d7335ed11bc5f8183d260372080761ab43f36
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
ikpc5@yandex.com - Password:
afoerinwa123456789
Signatures
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
Image001.exeImage001.exepid process 3496 Image001.exe 3496 Image001.exe 3216 Image001.exe 3216 Image001.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
Image001.exepid process 3496 Image001.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Image001.exedescription pid process target process PID 3496 set thread context of 3216 3496 Image001.exe Image001.exe -
Processes:
resource yara_rule behavioral2/memory/3216-1-0x00000000004A2490-mapping.dmp agent_tesla behavioral2/memory/3216-3-0x0000000000400000-0x00000000004A4000-memory.dmp agent_tesla behavioral2/memory/3216-3-0x0000000000400000-0x00000000004A4000-memory.dmp agent_tesla behavioral2/memory/3216-4-0x0000000002170000-0x00000000021BC000-memory.dmp agent_tesla behavioral2/memory/3216-4-0x0000000002170000-0x00000000021BC000-memory.dmp agent_tesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
Image001.exedescription pid process target process PID 3496 wrote to memory of 3216 3496 Image001.exe Image001.exe PID 3496 wrote to memory of 3216 3496 Image001.exe Image001.exe PID 3496 wrote to memory of 3216 3496 Image001.exe Image001.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
Image001.exedescription pid process Token: SeDebugPrivilege 3216 Image001.exe -
Processes:
resource yara_rule behavioral2/memory/3216-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3216-0-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3216-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3216-2-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3216-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx behavioral2/memory/3216-3-0x0000000000400000-0x00000000004A4000-memory.dmp upx
Processes
-
C:\Users\Admin\AppData\Local\Temp\Image001.exe"C:\Users\Admin\AppData\Local\Temp\Image001.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Image001.exe"C:\Users\Admin\AppData\Local\Temp\Image001.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3216-0-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3216-1-0x00000000004A2490-mapping.dmp
-
memory/3216-2-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3216-3-0x0000000000400000-0x00000000004A4000-memory.dmpFilesize
656KB
-
memory/3216-4-0x0000000002170000-0x00000000021BC000-memory.dmpFilesize
304KB
-
memory/3216-5-0x0000000002212000-0x0000000002213000-memory.dmpFilesize
4KB