Analysis
-
max time kernel
143s -
max time network
34s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 13:25
Static task
static1
Behavioral task
behavioral1
Sample
Convite Do Tribunal.exe
Resource
win7v200722
Behavioral task
behavioral2
Sample
Convite Do Tribunal.exe
Resource
win10
General
-
Target
Convite Do Tribunal.exe
-
Size
432KB
-
MD5
5eda5883dc925b61fb5dd03a86037930
-
SHA1
f891d472c8c54bd5419208f202cdacb71e17a97c
-
SHA256
51b758ec870caeca167e24b4e7da08a9628a99ac033823420d3e6ea204ec8e2c
-
SHA512
1745aeaca73fc2f39ff121ee0b79c718cea89b3fc69440095b59682d0358f61d0ad2bc1c520da1ca6dad1c30e1145be9de6417804b50c065816fe42647d5b96f
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.pharco--corp.com - Port:
587 - Username:
mohamed.elshimy@pharco--corp.com - Password:
tHKfMRa2
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1828-3-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1828-4-0x0000000000446F1E-mapping.dmp family_agenttesla behavioral1/memory/1828-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1828-6-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
Convite Do Tribunal.exedescription pid process target process PID 1108 set thread context of 1828 1108 Convite Do Tribunal.exe Convite Do Tribunal.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Convite Do Tribunal.exeConvite Do Tribunal.exepid process 1108 Convite Do Tribunal.exe 1108 Convite Do Tribunal.exe 1108 Convite Do Tribunal.exe 1828 Convite Do Tribunal.exe 1828 Convite Do Tribunal.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Convite Do Tribunal.exeConvite Do Tribunal.exedescription pid process Token: SeDebugPrivilege 1108 Convite Do Tribunal.exe Token: SeDebugPrivilege 1828 Convite Do Tribunal.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Convite Do Tribunal.exedescription pid process target process PID 1108 wrote to memory of 1828 1108 Convite Do Tribunal.exe Convite Do Tribunal.exe PID 1108 wrote to memory of 1828 1108 Convite Do Tribunal.exe Convite Do Tribunal.exe PID 1108 wrote to memory of 1828 1108 Convite Do Tribunal.exe Convite Do Tribunal.exe PID 1108 wrote to memory of 1828 1108 Convite Do Tribunal.exe Convite Do Tribunal.exe PID 1108 wrote to memory of 1828 1108 Convite Do Tribunal.exe Convite Do Tribunal.exe PID 1108 wrote to memory of 1828 1108 Convite Do Tribunal.exe Convite Do Tribunal.exe PID 1108 wrote to memory of 1828 1108 Convite Do Tribunal.exe Convite Do Tribunal.exe PID 1108 wrote to memory of 1828 1108 Convite Do Tribunal.exe Convite Do Tribunal.exe PID 1108 wrote to memory of 1828 1108 Convite Do Tribunal.exe Convite Do Tribunal.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Convite Do Tribunal.exe"C:\Users\Admin\AppData\Local\Temp\Convite Do Tribunal.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Convite Do Tribunal.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1108-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1828-3-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1828-4-0x0000000000446F1E-mapping.dmp
-
memory/1828-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1828-6-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB