Analysis
-
max time kernel
143s -
max time network
83s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
31-07-2020 13:26
General
-
Target
Shipping Documents.exe
-
Size
783KB
-
MD5
e5bde8a869853246fcb3e03f8549745b
-
SHA1
e615e5d128153806519a2d7e500dc3f15a72aaed
-
SHA256
ee262364ef33326ce4d145a1bc920ded3750d2d73596c623962080b58084de1d
-
SHA512
eb646865c32e2882d9ef11f9dd4ccc4c794ffe4e714ecdc7a74d7f738425b0b0e4637a4f5cc9d2a8a5ea1b7ed673eb11656dffcb5e758641b463d5d52ca76536
Score
10/10
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
gamzyolowo@yandex.com - Password:
chikaaka1
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"C:\Users\Admin\AppData\Local\Temp\Shipping Documents.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1680-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1988-2-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1988-3-0x000000000044A09E-mapping.dmp
-
memory/1988-4-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB
-
memory/1988-5-0x0000000000400000-0x0000000000450000-memory.dmpFilesize
320KB