Analysis
-
max time kernel
93s -
max time network
66s -
platform
windows7_x64 -
resource
win7 -
submitted
31-07-2020 12:12
Static task
static1
Behavioral task
behavioral1
Sample
AWB.exe
Resource
win7
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
AWB.exe
Resource
win10v200722
windows10_x64
0 signatures
0 seconds
General
-
Target
AWB.exe
-
Size
789KB
-
MD5
00e07fbc04097cb40012208c6d59961f
-
SHA1
965e3a6594cba057b116b9f53aabd8976d815058
-
SHA256
2e5adc24258e0aae79b688b0310985210ab03bffb789da8c80f5d2172e0ff323
-
SHA512
85cf5e27a27f3ba2e6dd18f86c06eb3cbc7414ce9b8998a4b1ee3b20c9141e05347dd6cf220923d606f5e3a5650f91c065f1bf40d7fbc6c145414dfda937449f
Malware Config
Extracted
Family
agenttesla
Credentials
Protocol: smtp- Host:
smtp.yandex.com - Port:
587 - Username:
mullarwhite@yandex.com - Password:
challenge12345@
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
AgentTesla Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/836-2-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/836-3-0x000000000044CA9E-mapping.dmp family_agenttesla behavioral1/memory/836-4-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla behavioral1/memory/836-5-0x0000000000400000-0x0000000000452000-memory.dmp family_agenttesla -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
RegSvcs.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\LKUgjc = "C:\\Users\\Admin\\AppData\\Roaming\\LKUgjc\\LKUgjc.exe" RegSvcs.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
AWB.exedescription pid process target process PID 1144 set thread context of 836 1144 AWB.exe RegSvcs.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
AWB.exeRegSvcs.exepid process 1144 AWB.exe 1144 AWB.exe 1144 AWB.exe 1144 AWB.exe 836 RegSvcs.exe 836 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
AWB.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 1144 AWB.exe Token: SeDebugPrivilege 836 RegSvcs.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
AWB.exeRegSvcs.exedescription pid process target process PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 1144 wrote to memory of 836 1144 AWB.exe RegSvcs.exe PID 836 wrote to memory of 1612 836 RegSvcs.exe netsh.exe PID 836 wrote to memory of 1612 836 RegSvcs.exe netsh.exe PID 836 wrote to memory of 1612 836 RegSvcs.exe netsh.exe PID 836 wrote to memory of 1612 836 RegSvcs.exe netsh.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\AWB.exe"C:\Users\Admin\AppData\Local\Temp\AWB.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"{path}"2⤵
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"netsh" wlan show profile3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/836-2-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/836-3-0x000000000044CA9E-mapping.dmp
-
memory/836-4-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/836-5-0x0000000000400000-0x0000000000452000-memory.dmpFilesize
328KB
-
memory/1144-1-0x0000000000000000-0x0000000000000000-disk.dmp
-
memory/1612-6-0x0000000000000000-mapping.dmp