Analysis
-
max time kernel
109s -
max time network
77s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 10:12
Static task
static1
Behavioral task
behavioral1
Sample
scan copy.exe
Resource
win7
Behavioral task
behavioral2
Sample
scan copy.exe
Resource
win10v200722
General
-
Target
scan copy.exe
-
Size
479KB
-
MD5
439bff3720a10a5edec44dadfd4e53d7
-
SHA1
6d1b8ec46da61b2d690f15169e85deec829d45c3
-
SHA256
e71c74d33683e14022e6d0f0e7a14efcf744c7d4aec03216934dbf17eba9eacb
-
SHA512
034b8e8f0c0b7ce7e7efdc05e897fe42aef3105ed05e430c8a6a9ea5f92eacc26211ce882ac158966f0d06f052f61f2ff25c4edd5a61fdedcc17bdc00c3ea2f4
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
ogb.oils@yandex.com - Password:
Simple262627
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1044-2-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1044-3-0x0000000000446CFE-mapping.dmp family_agenttesla behavioral1/memory/1044-4-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla behavioral1/memory/1044-5-0x0000000000400000-0x000000000044C000-memory.dmp family_agenttesla -
Drops file in Drivers directory 1 IoCs
Processes:
scan copy.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts scan copy.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
scan copy.exedescription pid process target process PID 1108 set thread context of 1044 1108 scan copy.exe scan copy.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
scan copy.exescan copy.exepid process 1108 scan copy.exe 1108 scan copy.exe 1044 scan copy.exe 1044 scan copy.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
scan copy.exescan copy.exedescription pid process Token: SeDebugPrivilege 1108 scan copy.exe Token: SeDebugPrivilege 1044 scan copy.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
scan copy.exepid process 1044 scan copy.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
scan copy.exedescription pid process target process PID 1108 wrote to memory of 1044 1108 scan copy.exe scan copy.exe PID 1108 wrote to memory of 1044 1108 scan copy.exe scan copy.exe PID 1108 wrote to memory of 1044 1108 scan copy.exe scan copy.exe PID 1108 wrote to memory of 1044 1108 scan copy.exe scan copy.exe PID 1108 wrote to memory of 1044 1108 scan copy.exe scan copy.exe PID 1108 wrote to memory of 1044 1108 scan copy.exe scan copy.exe PID 1108 wrote to memory of 1044 1108 scan copy.exe scan copy.exe PID 1108 wrote to memory of 1044 1108 scan copy.exe scan copy.exe PID 1108 wrote to memory of 1044 1108 scan copy.exe scan copy.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\scan copy.exe"C:\Users\Admin\AppData\Local\Temp\scan copy.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\scan copy.exe"C:\Users\Admin\AppData\Local\Temp\scan copy.exe"2⤵
- Drops file in Drivers directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1044-2-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1044-3-0x0000000000446CFE-mapping.dmp
-
memory/1044-4-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1044-5-0x0000000000400000-0x000000000044C000-memory.dmpFilesize
304KB
-
memory/1108-1-0x0000000000000000-0x0000000000000000-disk.dmp