Analysis
-
max time kernel
97s -
max time network
118s -
platform
windows10_x64 -
resource
win10 -
submitted
31-07-2020 13:44
Static task
static1
Behavioral task
behavioral1
Sample
Copy of items needed.exe
Resource
win7
Behavioral task
behavioral2
Sample
Copy of items needed.exe
Resource
win10
General
-
Target
Copy of items needed.exe
-
Size
483KB
-
MD5
ba217edfb5b42263b608a85d5c98f242
-
SHA1
66377a61f38ba4846548919f194883199858f05b
-
SHA256
cd6b21ec1d160de963ffb891b3a41b8c4c33eaee4458523108b9df1eafdabd4b
-
SHA512
917281b0e464ae61af79a026518348c2c97efe172f5fdfa009f5ea10af66e78a735539fcb09e905b1ee9b02689cd14c8cc5ab5a160fddcc0c6d16577c4eaa6c1
Malware Config
Extracted
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
Seeman30@yandex.com - Password:
ikem123456789
Signatures
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Copy of items needed.exeCopy of items needed.exedescription pid process Token: SeDebugPrivilege 3868 Copy of items needed.exe Token: SeDebugPrivilege 3384 Copy of items needed.exe -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
Copy of items needed.exeCopy of items needed.exepid process 3868 Copy of items needed.exe 3868 Copy of items needed.exe 3868 Copy of items needed.exe 3384 Copy of items needed.exe 3384 Copy of items needed.exe -
Processes:
resource yara_rule behavioral2/memory/3384-0-0x0000000000400000-0x000000000044C000-memory.dmp agent_tesla behavioral2/memory/3384-0-0x0000000000400000-0x000000000044C000-memory.dmp agent_tesla behavioral2/memory/3384-1-0x000000000044714E-mapping.dmp agent_tesla -
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Copy of items needed.exedescription pid process target process PID 3868 wrote to memory of 3384 3868 Copy of items needed.exe Copy of items needed.exe PID 3868 wrote to memory of 3384 3868 Copy of items needed.exe Copy of items needed.exe PID 3868 wrote to memory of 3384 3868 Copy of items needed.exe Copy of items needed.exe PID 3868 wrote to memory of 3384 3868 Copy of items needed.exe Copy of items needed.exe PID 3868 wrote to memory of 3384 3868 Copy of items needed.exe Copy of items needed.exe PID 3868 wrote to memory of 3384 3868 Copy of items needed.exe Copy of items needed.exe PID 3868 wrote to memory of 3384 3868 Copy of items needed.exe Copy of items needed.exe PID 3868 wrote to memory of 3384 3868 Copy of items needed.exe Copy of items needed.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Copy of items needed.exedescription pid process target process PID 3868 set thread context of 3384 3868 Copy of items needed.exe Copy of items needed.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Copy of items needed.exe"C:\Users\Admin\AppData\Local\Temp\Copy of items needed.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Suspicious use of SetThreadContext
-
C:\Users\Admin\AppData\Local\Temp\Copy of items needed.exe"{path}"2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious behavior: EnumeratesProcesses