Analysis
-
max time kernel
138s -
max time network
140s -
platform
windows10_x64 -
resource
win10v200722 -
submitted
31-07-2020 11:02
Static task
static1
Behavioral task
behavioral1
Sample
20OA06052_085812310720.exe
Resource
win7
General
-
Target
20OA06052_085812310720.exe
-
Size
716KB
-
MD5
a5a88021e46df03d29bec0dbb015d057
-
SHA1
b28ca8a8b0ad0712ddc0e146c44f6f89f0fa652c
-
SHA256
24154b374505bf76998acbeb5dafbf42a61a516234f2f1b708784ec3669bfbd1
-
SHA512
c0286b2d708bc97e0d2c5fdc0846729ada95f9ac1f6210c149e8db8fcbc44455206be2f2eb0bca57c1935f7dfa7cbc0bc4bf09e9dc797be11b3e5263c971b986
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.solivera.com - Port:
587 - Username:
info@solivera.com - Password:
.7S+{Gv&\{
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3912-3-0x0000000000400000-0x00000000004A6000-memory.dmp family_agenttesla behavioral2/memory/3912-4-0x0000000002190000-0x00000000021DC000-memory.dmp family_agenttesla -
Processes:
resource yara_rule behavioral2/memory/3912-0-0x0000000000400000-0x00000000004A6000-memory.dmp upx behavioral2/memory/3912-2-0x0000000000400000-0x00000000004A6000-memory.dmp upx behavioral2/memory/3912-3-0x0000000000400000-0x00000000004A6000-memory.dmp upx -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
20OA06052_085812310720.exedescription pid process target process PID 3288 set thread context of 3912 3288 20OA06052_085812310720.exe 20OA06052_085812310720.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
20OA06052_085812310720.exe20OA06052_085812310720.exepid process 3288 20OA06052_085812310720.exe 3288 20OA06052_085812310720.exe 3912 20OA06052_085812310720.exe 3912 20OA06052_085812310720.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
20OA06052_085812310720.exepid process 3288 20OA06052_085812310720.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
20OA06052_085812310720.exedescription pid process Token: SeDebugPrivilege 3912 20OA06052_085812310720.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
20OA06052_085812310720.exedescription pid process target process PID 3288 wrote to memory of 3912 3288 20OA06052_085812310720.exe 20OA06052_085812310720.exe PID 3288 wrote to memory of 3912 3288 20OA06052_085812310720.exe 20OA06052_085812310720.exe PID 3288 wrote to memory of 3912 3288 20OA06052_085812310720.exe 20OA06052_085812310720.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20OA06052_085812310720.exe"C:\Users\Admin\AppData\Local\Temp\20OA06052_085812310720.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\20OA06052_085812310720.exe"C:\Users\Admin\AppData\Local\Temp\20OA06052_085812310720.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3912-0-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/3912-1-0x00000000004A3FF0-mapping.dmp
-
memory/3912-2-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/3912-3-0x0000000000400000-0x00000000004A6000-memory.dmpFilesize
664KB
-
memory/3912-4-0x0000000002190000-0x00000000021DC000-memory.dmpFilesize
304KB
-
memory/3912-5-0x00000000022B2000-0x00000000022B3000-memory.dmpFilesize
4KB